APD/GBA (Belgium) - 131/2024: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by one other user not shown)
Line 69: Line 69:
}}
}}


The DPA reprimanded a media company since the cookie banner of one of its websites was not displaying a "reject all" button and was inducing data subjects to click on the "accept all" button through a catchy colour.
The DPA reprimanded a media company for failing to implement an option to reject cookies on the first layer of the cookie banner on one of its websites. Also, the option to accept all cookies was unlawfully highlighted in a catchy colour.


== English Summary ==
== English Summary ==
Line 83: Line 83:
* the usage of a vivid colour for the “Accept all” button misleads data subjects and violates [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 6 GDPR#1a|6(1)(a)]] and [[Article 7 GDPR#1|7(1) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre];
* the usage of a vivid colour for the “Accept all” button misleads data subjects and violates [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 6 GDPR#1a|6(1)(a)]] and [[Article 7 GDPR#1|7(1) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre];
* the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 17 GDPR#1b|17(1)(b) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre].
* the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 17 GDPR#1b|17(1)(b) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre].




First of all, the controller argued that ''noyb'' cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.
First of all, the controller argued that ''noyb'' cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.


Furthermore, it argued that the GDPR does not require websites to have a “reject all” button, nor the “accept” button to have a specific colour.
Furthermore, the controller noted that the GDPR does not require websites to have a “Reject all” button, nor the “Accept” button to have a specific colour.


=== Holding ===
=== Holding ===
Line 120: Line 121:


<pre>
<pre>
1/33
# Contentious Chamber
 
Decision on the Merits 131/2024
Litigation Chamber
Date: October 11, 2024
 
Case Number: DOS-2023-03283
Decision on the merits 131/2024 of 11 October 2024
Subject: Complaint regarding the cookie banner on RTL Belgium's website
 
File number: DOS-2023-03283
 
Subject: Complaint relating to the cookie banner on the RTL Belgium website
 
The Litigation Chamber of the Data Protection Authority, consisting of Mr.
 
Hielke H IJMANS, President, and Messrs. Christophe Boeraeve and Jelle Stassijns, members;
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
 
protection of natural persons with regard to the processing of personal data and on the
 
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";
 
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
 
"LCA");
 
Having regard to the internal regulations as approved by the Chamber of Representatives on
 
20 December 2018 and published in the Belgian Official Journal on 15 January 2019; 1
 
Having regard to the documents in the file;
 
Has taken the following decision regarding:
 
The complainant: X, represented by noyb – European Center for Digital Rights, located at
 
Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under
 
company number ZVR 1354838270, hereinafter “the complainant”
 
The defendant: RTLBelgium, whose registered office is established at Avenue Jacques Georgin, 2–1030
 
Schaerbeek, registered under company number 0428.201.847, represented
 
by Laurence Vandenbrouck, hereinafter “the defendant”
 
1The new internal regulations of the DPA, following the amendments made by the Law of 25 December 2023
amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA) have entered into force in force on
01/06/2024.
 
In accordance with Article 56 of the Law of 25 December 2023, it only applies to complaints, mediation files,
requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.
 
Files initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA not amended by the Law of 25 December 2023 and the internal regulations as they existed before this date. Decision on the merits 131/2024 — 2/33
 
I. Facts and procedure
 
1. On 19 July 2023, the complainant filed a complaint with the Data Protection Authority
 
against the defendant. The Litigation Chamber takes into account the fact that the
 
complaint form is dated 18 July 2023, but it was filed with the DPA
 
on the night of 18 July 2023 to 19 July 2023, and therefore it is this latter date that
 
must be taken as the date of the formal filing of the complaint.
 
2. The subject of the complaint concerns several elements relating to the cookie banner
 
present on the defendant's website. These allegedly contravene the principles of the GDPR and
 
the Framework Law.
 
3. On 10 February 2023, the complainant visited the defendant's website as part of a
 
project initiated with one of her colleagues during her internship at noyb. She stated that she
 
took this initiative in order to check whether certain websites – including the defendant's –
 
belonging to large Belgian press groups that had previously been the subject of a
 
transaction with the DPA were GDPR compliant. During this visit, the complainant and her
 
colleague identified potential GDPR violations. Following this observation, the complainant
 
took a HAR file to document these potential violations. In the meantime, she
 
mandated noyb, mainly to obtain technical assistance, as she was not
 
able to prepare the HAR file herself. Subsequently, the complainant prepares a complaint,
 
whose grievances, identical to the arguments raised in her conclusions, will be developed
 
in point 16. As part of its mandate, noyb rereads and corrects the complaint prepared by the
 
complainant. It is appropriate to note a certain ambiguity in the complainant's statements
 
concerning the preparation of the complaint, the latter having also mentioned that noyb had
prepared the complaint and that she had simply drafted part of it and reread the rest.
 
4. On August 4, 2023, the Front Line Service (hereinafter the "FLS") asks noyb to
 
inform it of the complainant's interest in acting.
 
5. On 25 August 2023, the complaint was declared admissible by the SPL on the basis of Articles 58 and
 
60 of the LCA and the complaint was forwarded to the Litigation Chamber pursuant to Article 62, §
 
1 of the LCA.
 
6. On 1 September 2023, noyb responded to the SPL that the complainant demonstrated an interest in acting
 
since she was a data subject, her personal data having been
 
processed after having consented to the deposit of cookies on the defendant's website. Since the
 
processing of this data was considered by herself and noyb to be unlawful, the
 
complainant considered that her rights had been affected. In this regard, it relies on
 
annexes. In any event, noyb declares that the demonstration of an interest in acting on the
 
part of the complainant does not constitute a condition of admissibility of the complaint. Decision on the merits 131/2024 — 3/33
 
7. On 20 October 2023, the Litigation Chamber proposed a settlement – previously
 
communicated to the complainant – to the defendant.
 
8. On 27 November 2023, the defendant did not consider the terms of the
 
settlement acceptable, and therefore requested a reassessment of the latter. It did not express opposition to
 
a new settlement proposal.
 
er
9. On 1 December 2023, the Litigation Chamber responds that it will withdraw the
 
settlement proposal unless decisive elements are provided before 6 December
2023.
 
10. On 18 December 2023, the Litigation Chamber formally withdraws the
 
settlement proposal.
 
11. On 5 February 2024, the Litigation Chamber decides, pursuant to Article 95, §1, 1° and
 
Article 98 of the LCA, that the case may be dealt with on the merits.
 
On the same date, the parties concerned are informed by registered mail of the
provisions as set out in Article 95, §2 and Article 98 of the LCA. They are
 
also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their
 
submissions. The deadline for receipt of the respondent's submissions in
 
response was set at 18 March 2024, that for the complainant's submissions in reply at 8 April
 
2024 and that for the respondent's submissions in rejoinder at 29 April 2024.
 
12. On 8 February 2024, the respondent agreed to receive all communications relating
 
to the case electronically, and expressed its intention to use the possibility of being
 
heard, in accordance with Article 98 of the LCA. She requests by the same email a
 
copy of the file (art. 95, §2, 3° LCA), which is sent to her on 19 February 2024.
 
13. On 9 February 2024, the complainant agrees to receive all communications relating
 
to the case electronically. She requests by the same email a copy of the file (art. 95,
 
§2, 3° LCA), which is sent to her on 19 February 2024. She also requests that the
 
procedure continue in Dutch.
 
14. On 19 February 2024, the Litigation Chamber decided to maintain the language of the proceedings
 
in French, since the complaint was filed in French, the website of the
 
defendant against whom the complaints are directed is French-speaking and the
 
complainant does not provide any other evidence in favour of a change of language for the
 
continuation of the proceedings. Furthermore, in view of the time taken to communicate the
 
administrative file to the parties, the Litigation Chamber decided to extend the deadlines for the
 
exchange of submissions.
 
The new deadline for receipt of the respondent's submissions in response is now set at 25 March 2024, that for the complainant's submissions in reply at 15 April 2024 and that for the respondent's submissions in rejoinder at 6 May 2024. Decision on the merits 131/2024 — 4/33
 
15. On 25 March 2024, the Litigation Chamber received the submissions in response from the
 
defendant. The defendant having filed additional and summary submissions, the content of the submissions in response is summarized in point 17.
 
16. On April 15, 2024, the Litigation Chamber received the submissions in reply from the
 
complainant, their content can be summarized as follows:
 
• Concerning the admissibility and admissibility of the complaint, the complainant concludes
as follows:
 
o Article 220, §2, 1° of the Law of July 30, 2018 on the protection of
 
natural persons with regard to the processing of personal data (hereinafter the
 
"Framework Law") must be set aside by the DPA since it violates
Article 80.1 of the GDPR.The complainant considers that Article 26, §4 of the Special Law of 6 January 1989 on the Constitutional Court (hereinafter “the Special Law”) is not applicable in this case, given that the DPA is not a court of the judicial system, and that it should therefore not submit a preliminary question before setting aside the aforementioned provision of the Framework Law. Furthermore, it adds that even if Article 26, §4 of the Special Law were applicable in the present proceedings, this would still not constitute an obstacle to setting aside Article 220, §2, 1° of the Framework Law, given that the primacy of European law is absolute. In this regard, it relies on judgments of the Court of Justice of the European Union (hereinafter “CJEU”); o The mandate cannot be criticized for not being specific enough in that,
 
on the one hand, the terms of the mandate make it possible to determine what
 
one is authorized to act for, and, on the other hand, Article 1984 of the Civil Code does not require
 
that a mandate be drafted in more specific terms than the mandate in the
case in point;
 
o The complaint is admissible on the understanding that it was signed by the chairman
 
of the board of directors denoyb in accordance with Article 58 of the LCA. In
 
this regard, the complainant argues that the aforementioned article does not
 
specify that the complaint must be signed specifically by the complainant, and
 
therefore leaves the possibility for a complainant’s representative to sign it. In
 
addition, the complainant notes that the signature of the complaint does not constitute a ground
 
for admissibility within the meaning of Article 60 of the LCA and that its absence cannot
 
therefore lead to the inadmissibility or rejection of the complaint;
 
o The complainant is validly represented by noyb within the meaning of Article 80.1
 
of the GDPR. The fact that the complainant has completed an internship within noyb does not alter this finding. The complainant relies in particular on a judgment of the CJEU
 
in which the latter recognizes that a complainant, who nevertheless had a
 
relationship of subordination with noyb, is validly represented by the latter.
 
• On the merits of the case, the complainant concludes as follows:
 
o Type 1 violation: the defendant has failed to comply
 
with Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the
 
ePrivacy Directive and Article 10/2 of the Framework Law by not presenting the
 
“Accept all” and “Reject all” options at the same level of information on its
 
cookie banner. The cookie banner has an “Accept and close” button, and a
 
“Learn more” button. However, there is no button to refuse the installation of all cookies. The requirement for
 
the buttons to accept or refuse cookies to appear at the same level of information
 
arises in particular from the EDPB guidelines and the opinion of the majority of supervisory authorities;
 
o Type 2 Violation: the defendant was guilty of a breach
 
of Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the
ePrivacy Directive and Article 10/2 of the Framework Law by making misleading use of the
 
colours of its buttons in its cookie banner. The button
 
to accept the installation of cookies is in a striking colour, while the “More information” button is
 
the same colour as the background of the cookie banner
 
o Type 3 violation: the defendant has failed to comply
 
with Articles 5.1.a), 17.1.b) of the GDPR, as well as Article 5.3 of the
 
ePrivacy Directive and Article 10/2 of the Framework Law in that it does not
 
allow for a withdrawal of consent as simple as its granting regarding the
 
deposit of cookies. While granting consent requires only one click – or
 
two if necessary –, the same is not true for withdrawing consent, which
 
requires more. In addition, withdrawing consent requires going to a specific section of the
 
RTL website.
 
17. On 6 May 2024, the Litigation Chamber received the additional and summary submissions from the defendant. Their content can be summarised as follows:
 
• Concerning the admissibility and admissibility of the complaint, the defendant concludes
 
as follows:
 
o The complaint is not admissible on the understanding that noyb, mandated by the
 
complainant, would not be validly constituted under Article 220, §2,
 
1° of the Framework Law sincenoyb would not be a non-profit body or association Decision on the merits 131/2024 — 6/33
 
validly constituted in accordance with Belgian law.
 
Aware of the doubts that remain as to the compatibility between this
 
provision and Article 80.1, it nevertheless states that the Belgian
 
provision cannot be set aside without the Constitutional Court having
 
expressed itself on this subject after having been seized of a preliminary
 
ruling (Art. 26, §4 of the Special
 
Law). Therefore, if the Contentious Chamber intends to set aside Article
 
220, §2, 1° of the Framework Law, it must submit a
 
preliminary ruling question to the Constitutional Court under Article 26, §4 of the
 
Special Law. In this regard, the defendant
 
points out that the aforementioned provision of the Special
 
Law does indeed apply to the Contentious Chamber;
 
o The plaintiff’s mandate is invalid in that it is not
 
defined with sufficient precision. The defendant relies in particular on a
 
ruling of the Court of Cassation in which a mandate – similar to that in
 
the present case according to the defendant – was sanctioned for lack of
 
precision. The defendant also highlights contradictions, such as the fact that
 
the signatory of the mandate is not the same as the one of the complaint, the fact
 
that the mandate does not refer to Article 80.1 of the GDPR, and the fact
 
that the mandate indicates that noyb is mandated to act before the DPA, but
 
that it can also unilaterally decide on the judicial and extrajudicial
 
actions it deems appropriate;
 
o It considers that the complaint must be declared inadmissible on the understanding
 
that it was not signed by the complainant, but by the chairman of the board
 
of directors of noyb. The defendant points out that above the
 
signature of the chairman of the board of directors of noyb is the
 
wording “For noyb”. This indicates, according to the defendant, that the
 
complaint is thus filed in the name and on behalf of noyb, whereas it
 
should have been done in the name and on behalf of the complainant. Although it
 
acknowledges that a third party can file a complaint on behalf of a
 
complainant, it notes that it is still necessary to demonstrate a
 
sufficient interest in acting, which noyb fails to do according to it. In any event, it considers the
 
signature, unlike the complainant, to be a condition of admissibility
 
it being understood that Article 58 of the LCA, which enshrines it, is presented in
 
the law under the section “Referral and admissibility of a complaint or a
 
application”;
 
o The defendant considers that noyb acts as a complainant and not as
 
an agent. noyb does not demonstrate a sufficient interest in acting since its claims, in the context of the case, do not seek to defend the
 
concrete interests of the complainant, but rather join the defense of its public
 
interests. The defendant adds that noyb makes very little reference to the
 
complainant, and that hiring interns to actively seek out GDPR
 
infringements is part of its business model.
 
• On the merits of the case, the defendant concludes as follows:
 
o Type 1 violation: the defendant has not been guilty of the alleged
 
breaches. First, neither the GDPR nor the Framework Law require
 
the implementation of a button to refuse all cookies at the
 
first information level of the cookie banner. Second, the guidelines of the
 
European Data Protection Board (hereinafter “EDPB”) and the opinions of the
 
supervisory authorities constitute soft law, and are therefore not
 
binding. Also, the defendant alleges that its cookie banner
 
presents the “Accept all” and “Reject all” buttons on the same level.
 
o Type 2 violation: the defendant has not been guilty of the alleged
 
breaches. First of all, neither the GDPR nor the Framework Law require
 
that the buttons to accept or refuse cookies be of the same
 
colour. Furthermore, the colours chosen in this case are only the
 
expression of an artistic freedom, reflecting the visual
 
identity of the brand. In addition, the colours chosen allow for a more coherent and aesthetically pleasing
 
experience for users. It also considers that the use of distinct colours can
 
in particular improve the readability and accessibility of information for
 
people with visual difficulties. Finally, it considers that noyb
 
does not explain to what extent the colours used by itself
 
can “manifestly mislead” users when they are
 
confronted with the cookie banner.
 
o Type 3 violation: the defendant has not been guilty of the alleged
 
breaches, it being understood that through the “Manage
 
cookies” section on its website, the user can at any time
 
withdraw his or her consent to the deposit of cookies. In this regard, it cites
 
an extract from decision 36/2024 of the Litigation Chamber as follows:
 
“In addition, the cookie banner can easily be recalled in order to
 
change the cookie settings, by means of a URL address at the bottom
 
of the page, entitled “Manage cookies””. Finally, it states that it is not aware of
 
any supervisory authority recommending the procedure described by noyb Decision on the merits 131/2024 — 8/33
 
which would consist of the installation of a floating button, permanently
 
visible, and allowing consent to be withdrawn at any time.
 
18. On 20 June 2024, the parties are informed that the hearing will take place on 1 July 2024.
 
19. On 1 July 2024, the parties are heard by the Litigation Chamber.
 
20. On 8 July 2024, the minutes of the hearing are submitted to the parties.
 
21. On 12 July 2024, the Litigation Chamber receives from the complainant
 
some comments on the minutes, which are annexed thereto
 
in accordance with Article 54, paragraph 2 of the Rules of Procedure.
 
22. On 17 July 2024, the Litigation Chamber receives from the defendant
 
some comments on the minutes, which are annexed thereto in accordance
 
with Article 54, paragraph 2 of the Rules of Procedure.
 
II. Motivation
 
II.1. As to the procedure
 
er
23. During the hearing held on 1 July 2024, the defendant made two preliminary
 
remarks to which it is necessary to respond. It raises with the
 
Litigation Chamber (i) that a procedure sharing some similarities with the
 
present case is pending before the Market Court. In this procedure, a
 
settlement proposal had been submitted to a data controller, which was unilaterally
 
withdrawn by the Litigation Chamber. The data controller therefore appealed
 
to the Market Court, thus contesting the unilateral withdrawal of the
 
settlement proposal by the Litigation Chamber. The defendant therefore asks whether it would
 
not be appropriate to suspend the present procedure until the
 
Market Court delivers its judgment. (ii) Furthermore, the defendant points out to the Litigation Chamber that the
 
complainant practiced as a lawyer in the law firm that represented the APD
 
before the Market Court in the case cited above. It considers that this
 
could suggest a possible conflict of interest or a possible breach of the principle
 
of impartiality – both in its subjective and objective dimension.
 
(i) As for the remark relating to the proceedings pending before the Market Court
 
24. The Litigation Chamber, as it had responded at the time of the hearing, stresses that the
 
proceedings pending before the Market Court are not comparable to the present
 
case. Indeed, while the procedure before the Market Court to which the defendant
 
2The Market Court has since delivered its judgment, see in this regard Judgment of the Brussels Court of Appeal (Market Court section) Decision on the merits 131/2024 — 9/33
 
refers concerns a settlement proposal that was unilaterally withdrawn by
 
the Litigation Chamber and that was contested by the party to whom the proposal had been
 
submitted, it should be noted that in the present case the defendant rejected the
 
terms of the settlement proposal that was proposed to it. When the Litigation
 
Chamber informed the defendant that it would withdraw the proposal, the defendant did not object.
 
Consequently, there is formally no longer a settlement proposal in the present case, and the procedure is validly continuing with an examination
 
of the merits of the file.
 
(ii) As for the possible conflict of interest or the possible breach of the principle of impartiality
 
25. Although the principle of impartiality applies to administrative authorities, including
 
the Contentious Chamber, it should be noted that according to a consistent case law of the
 
Council of State: "the general principle of impartiality must be applied to any body of
 
the active administration. It is sufficient that an appearance of bias could have given rise to
 
legitimate doubts in the applicant as to the ability to approach his case with complete impartiality.
 
However, this principle only applies to the extent that it is consistent with the
 
specific nature, and in particular with the structure of the active administration. Furthermore,
 
the impartiality of a collegiate body can only be called into question if, on the one hand, specific facts
 
which raise suspicions of bias on the part of one or more members of the
 
college can be legally established and, on the other hand, it is clear from the
 
circumstances that the bias of this or these members could have influenced
 
the entire college. It is up to the person
 
who alleges that the authority did not act with independence, impartiality and
 
thoroughness to provide proof of this."
 
26. It is therefore up to the party invoking the breach of the principle of impartiality
 
to provide proof of specific facts from which it should be concluded that the
 
principle of impartiality has been breached.
 
27. A distinction is made between objective impartiality and subjective impartiality.
 
28. The Litigation Chamber underlines, firstly, that the law firm concerned was
 
selected following a public procurement contract (in tempore non suspecto), and must therefore
 
respect the principles of equality, non-discrimination, transparency and proportionality
 
with regard to all bidders, as well as rely on objective award criteria.
 
Furthermore, the complainant is acting as a data subject, and this without
 
any connection with her profession as a lawyer, formerly practiced for the law firm concerned.
 
Since the defendant has not provided any further evidence to demonstrate
 
that the Litigation Chamber gave the appearance of bias, the Litigation
 
Chamber cannot conclude that it has breached the principle of objective impartiality.
 
3C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX. Decision on the merits 131/2024 — 10/33
 
29. Next, the Litigation Chamber notes that the defendant does not provide any evidence
 
expressing how it could have acted with bias, or that it could have, for
 
example, intervened in the context of these proceedings in a manner that undermined
 
the objectivity of the proceedings. Ultimately, the defendant does not provide any evidence of
 
the concrete actions of the Litigation Chamber that would allow it to be concluded
 
that the latter acted with bias.
 
30. By way of conclusion, the Litigation Chamber considers that there is no risk of conflict
 
of interest in the present case and that it has not failed to comply with the principle of impartiality, whether
 
in its objective or subjective dimension.
 
II.2. As to the admissibility and admissibility of the complaint
 
II.2.1. As for the constitution of noyb
 
31. Article 80.1 of the GDPR provides that "the data subject shall have the right to mandate a
 
non-profit body, organisation or association, which has been validly
 
constituted in accordance with the law of a Member State, whose statutory objectives are
 
of public interest and is active in the field of the protection of the rights and freedoms of
 
data subjects within the framework of the protection of personal data
 
concerning, to lodge a complaint on his or her behalf, to exercise on his or her
 
behalf the rights referred to in Articles 77, 78 and 79 and to exercise on his or her
 
behalf the right to obtain compensation referred to in Article 82 where
 
5
the law of a Member State so provides." .
 
32. Article 220, §2 of the Framework Law specifies that:
 
Ҥ 2. In the disputes provided for in paragraph 1, a body, an organization or
 
a non-profit association must:
 
1° be validly constituted in accordance with Belgian law;
 
2° have legal personality;
 
3° have statutory objectives of public interest;
 
4C.E., 26 January 2018, Viaene and the Belgian State, 240.585.
5
It is the Litigation Chamber which emphasizes. See. also the first part of recital 142 of the GDPR: (142):
Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the
right to request a non-profit body, organisation or association, established in accordance with
Member State law, whose statutory objectives are of public interest and which is active in the field of personal data
protection, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right to
a judicial remedy on behalf of the data subject or, where provided for by Member State law, to exercise the right
to obtain redress on behalf of data subjects.
6
The preparatory work of the LTD mentions that the 3-year condition applies both to the existence of legal personality and to the exercise of activities in the field of data protection. See House of Representatives, Draft Law on the Protection of Individuals with regard to the Processing of Personal Data, Doc. Parl.,
DOC 54 31/26/001 (article-by-article commentary – Article 220). Decision on the substance 131/2024 — 11/33
 
4° be active in the field of protection of the rights and freedoms of
 
data subjects in the context of the protection of personal data for at least three years.
 
§ 3. The non-profit body, organisation or association provides proof,
 
by presenting its activity reports or any other document, that its
 
activity has been effective for at least three years, that it corresponds to its
 
corporate purpose and that this activity is related to the protection of personal
 
data.
 
33. The Litigation Chamber has already had the opportunity to express doubts as to the
 
compatibility of certain aspects of the Belgian provision with that of the GDPR. 7
 
34. The primacy of European law implies the exclusion of any national provision that
 
cannot be interpreted in accordance with a standard of European law – this
 
exclusion constituting a duty for all State organs, including the judicial and
 
administrative authorities responsible for applying European law within the framework of their
 
respective competences. 8
 
35. If there are reasons to believe that a law – within the meaning of Article 22 of the
 
Constitution – would violate “a fundamental right guaranteed in a totally or partially analogous
 
manner by a provision of Title II of the Constitution as well as by a provision of
 
European law […]”, it is then for the court before which this situation arises
 
to refer a preliminary question to the Constitutional Court.
 
36. The CJEU has held 10 that an incidental procedure for reviewing the
 
constitutionality of national laws complies with EU law, provided that this procedure
 
complies with 4 conditions, which follow:
 
- The other national courts remain free “to refer to the Court, at any stage of the
 
procedure which they consider appropriate, and even at the end of the incidental procedure
 
for review of constitutionality, any preliminary question which they
 
consider necessary”;
 
- Other national courts remain free to “adopt any measure
 
necessary to ensure the provisional judicial protection of the rights
 
conferred by the legal order of the Union”;
 
7See Decision of the Contentious Chamber 39/2024 of 22 February 2024, paragraph 30; Decision of the Contentious
 
Chamber 22/2024 of 24 January 2024, paragraph 32.
 
8 CJEU, 4 December 2018, C-378/17, Minister for Justice and Equality and Commissioner of the Garda Síochána,
ECLI:EU:C:2018:979, paragraphs 37 and 38.
9Article 26, §4, Special Law of 6 January 1989 on the Constitutional Court, Official Journal, 7 January 1989, p. 315.
 
10CJEU, 22 June 2010, C-188/10, Melki, ECLI:EU:C:2010:363. Decision on the merits 131/2024 — 12/33
 
- The other national courts remain free “to disapply, at the end of
 
such incidental proceedings, the national legislative provision in question if
 
they consider it to be contrary to Union law”;
 
- “It is for the referring court to verify whether the
 
national legislation at issue in the main proceedings can be interpreted in
 
accordance with these requirements of Union law”.
 
37. The Contentious Chamber notes that the special legislator has limited the scope of
 
Article 26, §4 of the Special Law to ordinary and administrative courts only.
 
38. However, the Contentious Chamber is not within the jurisdiction of the judiciary – it is in fact an
 
administrative authority.2
 
39. Consequently, Article 26, §4 of the Special Law does not apply to the
 
Contentious Chamber, and the latter is not obliged or able to submit a
 
preliminary question to the Constitutional Court.
 
40. Given that there is no other incidental procedure for reviewing
 
constitutionality, the Contentious Chamber must directly do everything
 
necessary to give full effect to the standards of European law that it
 
must apply within the scope of its powers – namely Article 80.1 of the
 
GDPR in relation to the present case.
 
41. In line with what was stated in point 33, the Litigation Chamber states
 
that Article 220, §2, 1° of the Framework Law is contrary to the aforementioned provision of the GDPR,
 
it being understood that it restricts the scope of application of the latter, so that they are
 
irreconcilable.
 
42. Consequently, the application of Article 220, §2, 1° of the Framework Law should be excluded.
 
II.2.2. Validity of the mandate
 
43. Concerning the mandate of representation, the Litigation Chamber notes that it
 
mentions the data of the principal and the agent, and that the former mandates the
 
latter to represent her before the APD and to take any action
 
necessary to ensure that her rights are respected regarding the collection and processing of her data on the
defendant’s website. The Litigation Chamber adds that, in the annexes to
 
the 1 Special Bill of 15 January 2014 amending the Special Law of 6 January 1989 on the Constitutional Court,
Explanatory Memorandum, 2013-2014 Ordnance Session, No. 53-2438/1, p. 6.
12
Draft law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2016-2017, No. 54-2648/1, p. 8; See also the Procurement Court, judgment of 31 October 2023, No. 2023/AR/821.
13The DPA has full authority to submit a preliminary question to the Constitutional Court through the Brussels Court of Appeal (Procurement Court section) in a case to which the DPA is a party, for example. Decision on the merits 131/2024 — 13/33
 
complaint form, the mandate is entitled as follows: “Exhibit 1 – Representation agreement
 
pursuant to Article 80(1) GDPR”.
 
44. First of all, concerning this last element, the Litigation Chamber cannot agree
 
with the defendant’s reasoning when the latter claims that noyb attempted to
 
“hide” the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand,
 
noyb claims that this reference was already included when the mandate was signed. On the other hand,
 
the Litigation Chamber notes that the validity of the mandate must, where appropriate, be
 
examined at the time of filing the complaint. Therefore, it does not appear likely that
 
noyb sought to “camouflage” the absence of a reference to Article 80.1 of the GDPR – to the
 
strict extent that the absence of a reference to Article 80.1 of the GDPR would render the mandate invalid –
it being understood that it would have been sufficient to redo the mandate. Consequently, the mandate should be read
 
in light of its title as an annex. Read in this way, there is no doubt that the
 
mandate was concluded within the framework of Article 80.1 of the GDPR.
 
45. Next, with regard to the possible contradictions in the mandate that the
 
defendant is subject to, the Litigation Chamber recalls that it could not assess the mandate too
 
restrictively. As an administrative authority, the Litigation Chamber monitors the proper
 
implementation of the GDPR. In this capacity, it is empowered to adopt one or more of the sanctions
 
listed in Articles 95, §1 or 100, §1 of the LCA – and this in order, in particular, to protect
 
the fundamental rights of the persons concerned. The mandate, as it appears in the
 
documents in the file, makes it possible to determine the parties to this contract, the data controller
 
against whom the complainant addresses her grievances, the supervisory authority to
 
which it is planned to file a complaint and a reference to Article 80.1 of the
 
GDPR within the framework of which the mandate is adopted. These elements make it possible to justify the actions that noyb
 
undertakes in the name and on behalf of the complainant with the DPA. The imposition of
 
more conditions on the mandate would undermine the duty of control incumbent on the
 
Litigation Chamber, but also the rights of the persons concerned. For all intents and purposes, the Litigation Chamber specifies that the elements of the mandate cited above cannot be interpreted as setting any minimum threshold.
 
46. Finally, and in any event, the Litigation Chamber notes that Article 17 of the Judicial Code does not apply to the Litigation Chamber, the latter being an administrative authority as set out in point 38.
 
II.2.3. Failure to sign the complaint
 
47. Article 58 of the LCA provides that "Any person may file a written, dated and signed complaint or request with the Data Protection Authority." Decision on the merits 131/2024 — 14/33
 
48. Article 60 of the same Law provides that, when examining the admissibility of
 
complaints it receives, the SPL verifies that the complaint is “drafted in one of the
 
national languages”, that it “contains a statement of the facts and the
 
necessary information to identify the processing to which it relates”, and that the
 
complaint “falls within the competence of the Data Protection Authority”.
 
49. Contrary to what noyb maintains, these two provisions should not be read separately,
 
but together. Thus, the formal requirements prescribed by Article 58 of the LCA
 
must also be taken into account in the admissibility examination referred to in Article 60 of the
 
same Law.
 
50. The Litigation Chamber notes that the complaint form was signed by the chairman of the
 
board of directors of noyb, with the following statement: "For noyb".
 
51. In this regard, the Belgian legislature has specified that the signature must come from "the person
14
competent in the matter", but not necessarily from the complainant. Thus, it must be
 
understood that at least the agent may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to
 
mandate “a non-profit body, organisation or association […] to
 
lodge a complaint on his or her behalf, to exercise on his or her behalf the rights referred to in Articles 77,
 
78 and 79 [of the GDPR]”.
 
52. As a legal entity, noyb must be represented by one of its members in the
acts it performs. Thus, the chairman of the board of directors of noyb signed the
 
complaint form – in the exercise of this function, which authorises him or her to such acts.
 
53. It cannot be inferred from the statement "For noyb" that noyb is acting as a complainant, since
 
this statement is specifically intended to engage the liability of noyb, and not that of the
 
chairman of the board of directors of noyb in his capacity as a natural person.
 
II.2.4. Interest in bringing proceedings
 
54. The Litigation Chamber is not unaware of the content of its decision 22/2024, however it is
 
necessary to note the differences that distinguish the facts arising from the above-mentioned
 
decision from the facts arising from this decision.
 
55. Although the complainants share, in both decisions, the fact of having completed an
internship at noyb, and, in this context, of having consulted websites which subsequently
 
motivated the filing of a complaint with the DPA, it should not be ignored that at the origin of the facts
 
examined in Decision 22/2024, noyb had put in place a large-scale plan with a view to
 
filing dozens of complaints against multiple data controllers
 
14Draft Law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch.,
Ord. Session 2016-2017, No. 54-2648/1, p. 40 Decision on the merits 131/2024 — 15/33
 
with various supervisory authorities – including the DPA. In addition, the complainant had
 
explicitly acknowledged having been assigned various files, including the website
 
of the defendant of the aforementioned decision. These elements – combined with others –
 
led the Litigation Chamber to consider that the mandate concluded between the complainant and
 
noyb was then fictitious. However, such a conclusion cannot be reached in the present
 
case. The complainant – French-speaking – in fact consulted the website – French-speaking – of
 
the defendant on the basis of a personal initiative, which does not fall within the framework
 
of noyb’s other coordinated projects. There is nothing in principle to prevent noyb from
 
representing one of its employees or trainees.
 
56. Furthermore, no link can be established between the present complaint and the complaints filed
 
against the 15 Belgian websites referred to in the press release of July 2023
 
by noyb. While it is certainly clear that there was clear coordination to a certain
 
extent in this case, it has not been established that this coordination took place
 
before the complainant’s complaints arose. In any event, the evidence in this
 
case does not establish that noyb exerted any pressure on the
 
complainant.
 
57. Therefore, there is no reason to claim that the mandate is fictitious.6
 
58. In the present case, the relationship between the complainant and noyb could be schematised as
 
follows:
 
15See https://noyb.eu/en/belgian-dpa-let-news-outlets-buy-themselves-free-gdpr-compliance.
 
16In this regard, see Decision on the merits 113/2024 of the Litigation Chamber of 6 September 2024 in which the
same scenario occurs. Decision on the merits 131/2024 — 17/33
 
64. Also, concerning the collection and granting of consent online, we note that a binary reading cannot be
 
satisfied. The Litigation Chamber understands that each situation should be examined on a case-by-case basis, based on the material methods of collecting and granting consent. In addition, the Litigation Chamber emphasizes that collecting and granting consent online has certain specific features. The Internet has significantly changed practices and takes up the time of the majority of citizens, particularly young people. This has led to the establishment of a form of consent that could be described as routine. Internet users browse from website to website, from page to page, and are therefore confronted with a large number of cookie banners. In doing so, the warning effect of the cookie banner diminishes, and the persons concerned may grant their consent by default, due to the weariness this causes. This 17
 
observation is made worse when we include the fact that data controllers sometimes
 
implement a design that encourages Internet users to accept the deposit of cookies.
 
65. These reasons then impose on the Litigation Chamber the duty to examine this case with the
 
utmost sensitivity.
 
II.3.1. As to the articulation of the GDPR and the Framework Law with the Guidelines
 
66. The Litigation Chamber intends to respond to the arguments formulated by the
 
defendant with regard to infringement of type 1 (see points 72 to 80, “As to the absence of a “Reject all”
 
button at the first level of the cookie banner”) and 2 (see points 81 to 95, “As to the
 
misleading use of button colours”), by which the defendant argues that neither the
 
GDPR nor the Framework Law require the implementation of a “Reject all” button at the
 
first level of the cookie banner or the use of “buttons and characters of identical
 
size, importance and colours”. The defendant adds that the guidelines of the EDPB and the
 
supervisory authorities have no binding force since they constitute
 
soft law.
 
67. To begin with, the Litigation Chamber recalls that the GDPR, as a European Regulation, is a legal act directly applicable in all Member States.
 
In so doing, the GDPR has a general scope. The European legislator cannot be expected to
 
define in detail the specific modalities of all practices relating to this act. On the contrary, it has established general and
 
abstract rules with which the persons and entities concerned must comply. The supervisory
 
authorities, in particular, must apply these principles and rules to specific cases, these
 
taking place in the digital society, whose technological developments
 
17
In English, it is customary to speak of “Click fatigue”; in this regard see EDPB, Guidelines 5/2020 on
consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 87, available at:
https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
18Summary of the defendant’s submissions, p. 22. Decision on the substance 131/2024 — 18/33
 
within it are very rapid. It is in this context that supervisory authorities must
 
adopt decisions that are adequate and proportionate. The decision-making practice of
 
authorities can – and must – in fact evolve in the light of legal and
 
technological developments. The fact that an authority is required to change its decision-making practice
 
does not in any way constitute an obstacle to the imposition of sanctions, such as administrative fines
 
for example.
 
68. Similarly, in adopting the Framework Law, the Belgian legislator did not intend to
 
define specific modalities for all practices relating to this law.
 
69. In this regard, the GDPR, in its Article 70.1.e, specifically delegates to the EDPB the mission “to
publish guidelines, recommendations and good practices” on any
 
question relating to its application, with a view to promoting its consistent application.
 
The importance of this consistency is also recalled in Articles 57.1.g and 70.1.u of the
 
GDPR. It should also be noted that Article 57.1.d of the GDPR gives the supervisory authorities the task of
 
encouraging awareness among controllers and processors of their obligations under the
 
GDPR. 70. In this way, while it is certainly correct to say that the guidelines thus
 
published are not binding in nature in that they constitute soft law, it would be
 
conversely wrong to deny them any legal effect. This denial ultimately and
 
implicitly amounts to challenging the authority of the EDPB and the supervisory
 
authorities who nevertheless have the appropriate expertise to carry out the tasks incumbent on them and
 
which have been recalled in the previous paragraph – although this does not mean that the
 
parties to a case cannot challenge the legal interpretation of the GDPR made by the EDPB or
 
a supervisory authority.
 
71. By way of conclusion, the Litigation Chamber recalls that the guidelines of the EDPB
 
and the supervisory authorities specify the provisions of the GDPR, but that it is the violation
 
of the latter – which are the subject of a concrete application to a specific case – which
 
justifies the imposition of corrective measures or a sanction.
 
II.3.2. As for the absence of a “Refuse all” button at the first level of the
 
cookie banner
 
72. Article 4.11 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data
 
subject’s wishes by which he or she signifies agreement, by a
 
statement or by a clear affirmative action, to the processing of personal data
 
concerning him or her”. Recital 42 of the GDPR states that “consent
 
19Draft Law of 11 June 2018 on the protection of natural persons with regard to the processing of personal data,
Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2017-2018, No. 54-3126/1, p. 21. Decision on the substance 131/2024 — 19/33
 
should not be considered to have been freely given if the data subject
 
does not have a genuine freedom of choice or is unable to refuse or
withdraw consent without suffering detriment.”
 
73. Article 5.1.a) of the GDPR provides that personal data must be processed
 
“lawfully, fairly and transparently.” To be lawful, the processing must be based on
 
the consent of the data subject or any other basis of lawfulness set out in Article
 
6.1 of the GDPR.
 
74. By applying these provisions, it must be concluded that for each cookie banner it
 
must be as simple to consent to the deposit of cookies as it is to refuse them. Therefore,
 
the button for accepting the deposit of cookies and the button for refusing the deposit of cookies must appear
 
together, at each level of the cookie banner
 
in which the button for accepting the deposit of cookies appears. Otherwise, the
 
consent then collected could not be considered as having been given
 
freely and unequivocally.
 
75. The Litigation Chamber notes in the present case that by not presenting the
 
“Accept all” and “Reject all” buttons at the first level of the cookie banner – the
 
first button being the only one present – the defendant not only makes the possibility of refusing the deposit of cookies less visible
 
to the persons concerned, but also makes it materially more difficult for them to refuse, given that a greater number
 
of actions are required. In this sense, the persons concerned – such as the complainant – are
 
encouraged to accept the deposit of cookies.
 
76. The EDPB 20 considers that an incentive is not necessarily contrary to the GDPR. He cites as an example the case where a data controller, granting general discounts
 
on the purchase of clothing and fashion accessories, requests the consent of the person
 
concerned to deposit cookies in order to better target their preferences. The incentive in this case
 
is then authorized on the understanding that the person concerned would not suffer any harm if
 
they were led to withdraw their consent.
 
77. In the present case, however, the incentive cannot be considered as authorized
 
or valid. Unlike the incentive presented in the example above, it does not offer
 
any advantage to the person concerned. However, a free choice implies that the button
 
allowing the refusal of the deposit of all cookies is offered at a level at least equal
 
to that allowing the acceptance of their deposit. Furthermore, it should be noted that the
 
cookie banner requires users to make a choice. This constitutes a practice
 
20
EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 50,
available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
21EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 13,
available at:https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 cEnsent en.pdf.
in particular, the following excerpt: “The adjective ‘free’ implies a choice and real control for the data subjects. […]”. Decision on the merits 131/2024 — 20/33
 
22
“cookie wall” issue. Consequently, the consent granted to the deposit of
 
cookies on the defendant’s website was not freely given.
 
78. Furthermore, the consent given by the data subject cannot
 
be considered to have been given unequivocally. Indeed, by not informing the
 
complainant of the possibility of rejecting the deposit of cookies, it cannot
 
be considered that the latter was able to consent by a clear positive act to the deposit of
 
cookies.
 
79. The findings made in the above paragraphs, relating to the first level of the
 
cookie banner, are not altered by the fact that at other levels of the
 
defendant’s website the “Accept all” and “Reject all” buttons are
 
presented together.
 
Requiring a data controller to make it as easy to refuse the deposit of
 
cookies as it is to accept them constitutes a concrete application of the conditions of
 
validity of consent as defined by Article 6.1.a) of the GDPR. The verification of the
 
validity of consent must then be carried out at the time when consent is
 
actually granted – or not. Given that the complainant consented to the deposit of
 
cookies at the first level of the cookie banner, the validity of the consent
 
collected must in fact only be retained at this level. This is all the more true since, by definition, the
 
data subjects are first confronted with the first level of the cookie banner.
 
In addition, the Litigation Chamber recalls that it is the responsibility of the data
 
controller to demonstrate that they have obtained the data subject’s consent under
 
Article 7.1 of the GDPR.
 
80. By way of conclusion, the Litigation Chamber notes that the defendant has violated
 
Article 6.1.a) of the GDPR, as well as Article 10/2 of the Framework Law.
 
II.3.3. As for the misleading use of button colours
 
81. Regarding the defendant’s first argument, concerning the fact that neither the GDPR nor
 
the Framework Law require data controllers to “use buttons and characters of identical size, importance and colour”, the Litigation Chamber notes that
 
the defendant is wrong to think that the complainant would support this idea. The complaint
 
in this regard claims that the cookie banner is in a form that encourages data subjects
 
to click on the "Accept and close" button, so that consent
 
22EDPB, Guidelines 5/2020 on consent under Regulation (EU) 2016/679, 4 May 2020, point 39, available
at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf.
 
23The Litigation Chamber recalls that a person whose data has not been processed precisely because
they have refused to consent to processing that presumably constitutes a practice violating their rights, and who, in doing so, has not been able to access a benefit or service, has the right to lodge a complaint with a supervisory authority under Article 77 of the GDPR, as set out in the judgment of 7 October 2021 of the Court of Cassation, accessible via :
https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05KL
U7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE=. Decision on the merits 131/2024 — 21/33
 
granted does not meet the conditions provided for by the GDPR. Moreover, the Litigation Chamber refers the parties to points 66 to 80.
 
82. Then, the Litigation Chamber notes that on the defendant’s cookie banner
 
(see below) three colours appear. The text uses a white font colour,
 
and the background of the banner is dark blue. The “Learn more” button, which
 
ultimately allows you to refuse the deposit of cookies, is the same blue as the background, but is
 
separated from it by white borders. The “Accept and close” button is a striking orange
 
colour.
 
83. As set out in point 72, consent must have been given freely, specifically,
 
informed and unequivocally. Following on from what was developed in point 71, the fact
 
of requiring a data controller that the button colours used are not of a nature
 
likely to clearly direct users towards the choice of consenting to the deposit of
 
cookies constitutes a requirement to respect the free and unequivocal nature that
 
consent must have, understood within the meaning of Article 6.1 of the GDPR.
 
84. In this case, the Litigation Chamber is of the opinion that the use of colours made by the
 
defendant is of a nature likely to clearly encourage users to click on the
 
"Accept and close" button, in that the button stands out
 
particularly from the rest of the cookie banner, and that it is therefore on this button that the
 
users' attention will mainly gravitate.Therefore, the plaintiff’s consent obtained by the defendant
 
regarding the deposit of cookies is not valid. Decision on the merits 131/2024 — 22/33
 
85. First of all, the European Court of Human Rights defines freedom of artistic
 
expression as that which “enables participation in the public exchange of cultural,
 
political and social information and ideas of all kinds (see, mutatis mutandis, the
 
judgment in Müller and Others v. Switzerland of 24 May 1988, Series A no. 133, p. 19, § 27). Those who create, perform,
 
disseminate or exhibit a work of art contribute to the exchange of ideas and opinions
 
essential to a democratic society […]” . 24
 
86. Next, the Litigation Chamber recalls that the right to data protection is a
 
fundamental right. The European legislator has implemented this fundamental right, in particular
 
in the GDPR and the ePrivacy Directive. The choice that the legislator has made, including
regarding the conditions of the consent that it has submitted in the legislative texts, indicate the
 
threshold of requirement that data controllers must respect before they can
 
use this consent for the placement of cookies and subsequent processing (Art. 6.1.a
 
of the GDPR and 10/2 of the Framework Law). The data controller has a certain margin of
 
maneuver in the implementation of the conditions implemented in the legislative bases mentioned
 
above; however, the controller cannot choose the conditions of the consent. It is the duty of the DPA to enforce the
 
application of the GDPR and the ePrivacy Directive.
 
87. Concerning the freedom of artistic expression relied on by the defendant, the Litigation Chamber notes that Article 85.1 of the GDPR provides that: "Member States shall reconcile,
 
by law, the right to the protection of personal data under this Regulation and the right to freedom of expression and information, including processing for journalistic purposes and for the purposes of academic, artistic or literary expression.".
 
88. Recital 153 of the same Regulation specifies in this regard that such a reconciliation must take place when it proves necessary. It also specifies that the concepts related to this freedom should be interpreted broadly in the light of the importance of the right to freedom of expression.
 
89. The Belgian legislator has provided in Article 24 of the Framework Law for exceptions to the application of
 
certain provisions of the GDPR for processing for journalistic purposes and for
 
academic, artistic or literary expression, as follows:
 
Ҥ 1. Processing of personal data for journalistic purposes
 
means the preparation, collection, drafting, production, dissemination
 
or archiving for the purpose of informing the public, using any media and
 
where the controller is subject to rules of journalistic ethics.
 
24 Eur. Court HR (Grand Chamber), judgment in Karatas v. Turkey, 8 July 1999, paragraph 49,
 
accessible via: https://hudoc.echr.coe.int/eng?i=001-62826. Decision on the merits 131/2024 — 23/33
 
§ 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20 and 21.1 of the Regulation do not
 
apply to the processing of personal data carried out for journalistic purposes and for
 
purposes of academic, artistic or literary expression.
 
§ 3. Articles 30.4, 31, 33 and 36 of the Regulation do not apply to
 
processing for journalistic purposes and for purposes of academic, artistic or
 
literary expression when their application would compromise a planned
 
publication or would constitute a control measure prior to the publication of
 
an article.
 
§ 4. Articles 44 to 50 of the Regulation shall not apply to transfers of
 
personal data carried out for journalistic purposes and for the purposes of academic, artistic or literary
 
expression to third countries or to international organisations to the extent that this is
 
necessary to reconcile the right to the protection of personal data and freedom
 
of expression and information.
 
§ 5. Article 58 of the Regulation shall not apply to the processing of personal
 
data carried out for journalistic purposes and for the purposes of academic, artistic or literary
 
expression where its application would provide indications on the sources of information or constitute a
 
control measure prior to the publication of an article. »
 
90. First, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not subject to
 
an exemption concerning processing carried out for the purposes referred to in point 87.
 
91. Next, the Litigation Chamber notes that it is clear from the report on the work undertaken
 
by the Cookie Banner TaskForce that, concerning colours [and contrasts], no general
 
banner model could be imposed on data controllers. The same report
 
further states that the validity of the cookie banner must then be examined on a case-by-case basis, in order to verify
 
whether the colours or contrasts used do not blatantly direct users towards a choice that does not
 
correspond to their preferences regarding the sharing of personal data. 25
 
92. This means that controllers, whose compliance with the GDPR must be
 
assessed on a case-by-case basis, have considerable leeway in the choice of
 
colours [and contrasts] in their cookie banners. They can therefore be
 
creative, in particular to reflect their brand identity. This leeway also
 
allows controllers to comply with both the
 
25EDPB, Report of the work undertaken by the Cookie Banner Taskforce, available at (in English only):
 
https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the substance 131/2024 — 24/33
 
requirements incumbent on them under the GDPR and compliance with the
 
principles of inclusive design, for example.
 
93. Going even further, the Litigation Chamber emphasises that in this case the defendant
 
could quite easily maintain the same colours used in its cookie banner, provided
 
that it reverses the colour used for the button allowing the acceptance of the deposit of cookies,
 
and that used for the button allowing, ultimately, to refuse them. As has been explained
 
in point 83, data controllers must ensure that the use of a colour
 
does not clearly encourage users to consent to the deposit of cookies on their
 
browser. On the other hand, there is nothing to prevent data controllers from using
 
a button colour that would similarly encourage users to refuse the
 
deposit of cookies.
 
94. Ultimately, the defendant wrongly claims that the requirements to which the choice of
 
colours used in its cookie banner is subject would infringe its freedom of artistic
 
expression, and the coherent and aesthetically pleasing experience that it
 
wishes to provide to its users, including persons with
 
visual impairments.
 
95. For the reasons set out above, the Litigation Chamber concludes that the
 
defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the Framework
 
Law.
 
II.3.4. As to the terms of withdrawal of consent
 
96. Article 7.3 of the GDPR provides that “The data subject has the right to withdraw
 
his or her consent at any time. The withdrawal of consent shall not compromise the lawfulness
 
of processing based on consent given before its withdrawal. The data subject


shall be informed thereof before giving his or her consent. It is as easy to withdraw as it is to
The Contentious Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, President, and Messrs Christophe Boeraeve and Jelle Stassijns, members;


give consent. ».
Considering:


97. The EDPB specifies that the violation of Article 7.3 of the GDPR results in the non-compliance of the
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR";
26
- The Law of December 3, 2017, establishing the Data Protection Authority (hereinafter "LCA");
consent mechanism of the data controller.
- The Internal Regulations approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;
- The documents in the file;


98. It emerges from the report on the work undertaken by the Cookie Banner Taskforce that a
Has made the following decision regarding:


specific model for withdrawing consent cannot be imposed on data controllers,
- Complainant: X, represented by noyb – European Center for Digital Rights, located at Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under the company number ZVR 1354838270, hereinafter "the complainant".
- Defendant: RTL Belgium, with its registered office at Avenue Jacques Georgin, 2 – 1030 Schaerbeek, registered under the company number 0428.201.847, represented by Laurence Vandenbrouck, hereinafter "the defendant".


including the solution of a floating banner or button (or
1. On July 19, 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. The Contentious Chamber notes that the complaint form is dated July 18, 2023; however, it was submitted to the DPA during the night of July 18 to 19, 2023. Therefore, the latter date should be retained as the formal filing date of the complaint.


"hovering solution"). It also emerges from the same report that a link located in a visible and
2. The subject of the complaint concerns several aspects related to the cookie banner on the defendant's website, which allegedly contravene the principles of the GDPR and the LCA.


standardized place constitutes a solution adapted to compliance with Article 7.3 of the GDPR.
3. On February 10, 2023, the complainant visited the defendant's website as part of a project initiated with a colleague during her internship at noyb. She explained that she took this initiative to verify if certain websites, including that of the defendant, belonging to major Belgian media groups that had previously entered into transactions with the DPA, complied with the GDPR. During this visit, the complainant and her colleague identified potential GDPR violations. Following this observation, the complainant created a HAR file to document these potential violations. In the meantime, she mandated noyb, mainly to obtain technical assistance, as she was unable to prepare the HAR file herself. Subsequently, the complainant prepared a complaint, the grievances of which, identical to the arguments raised in her conclusions, will be developed in point 16. Within the scope of her mandate, noyb reviewed and corrected the complaint prepared by the complainant. It should be noted that there is some ambiguity in the complainant's statements regarding the preparation of the complaint, as she also mentioned that noyb had prepared the complaint, and that she had only written part of it and reviewed the rest.


26
4. On August 4, 2023, the First-Line Service (hereinafter "SPL") requested noyb to provide information on the complainant's interest in acting.
EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 116,
available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
27EDPB, Report on the work undertaken by the Cookie Banner Taskforce of 17 January 2023, point 35, available via (in English only): https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the merits 131/2024 — 25/33


99. The Litigation Chamber adds that the duty to give data subjects the opportunity
5. On August 25, 2023, the SPL declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA.


to withdraw their consent as simply as the manner in which they grant it must be balanced against the comfort of use of the data subjects. This
6. On September 1, 2023, noyb responded to the SPL that the complainant demonstrates an interest in acting, as she is a concerned person whose personal data was processed after she consented to the deposit of cookies on the defendant's website. Since the processing of these data is considered unlawful by both her and noyb, the complainant believes her rights have been affected. In this regard, she relies on annexes. In any event, noyb states that demonstrating an interest in acting on the complainant’s behalf is not a condition for the admissibility of the complaint.


duty should therefore not make the browsing experience on a data controller’s website
7. On October 20, 2023, the Contentious Chamber proposed a settlement – previously communicated to the complainant – to the defendant.


painful for users – if this were the case, it would then prove unreasonable.
8. On November 27, 2023, the defendant did not consider the terms of the settlement acceptable and, therefore, requested a re-evaluation. However, it did not oppose a new settlement proposal.


100. In this case, the Litigation Chamber notes that the defendant’s website provides
9. On December 1, 2023, the Contentious Chamber replied that it would withdraw the settlement proposal unless decisive elements were presented before December 6, 2023.


users with a “Manage Cookies” button at the bottom of each of its
10. On December 18, 2023, the Contentious Chamber formally withdrew the settlement proposal.


navigation pages. In this regard, the Litigation Chamber notes that this button is
11. On February 5, 2024, the Contentious Chamber decided, under Article 95, §1, 1° and Article 98 of the LCA, that the case could be examined on the merits. On that date, the concerned parties were informed by registered mail of the provisions as outlined in Article 95, §2 and Article 98 of the LCA. They were also informed, under Article 99 of the LCA, of the deadlines for submitting their conclusions. The deadline for the defendant’s response was set for March 18, 2024, the complainant’s reply for April 8, 2024, and the defendant’s rejoinder for April 29, 2024.


reasonably accessible to users.
12. On February 8, 2024, the defendant accepted electronic communication for all case-related matters and expressed its intention to exercise the option to be heard, in accordance with Article 98 of the LCA. It also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024.


101. Furthermore, among the options presented in the “Manage Cookies”
13. On February 9, 2024, the complainant agreed to receive all communications electronically and also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024. She also requested that the procedure continue in Dutch.


button, there are “Accept all” and “Reject all” buttons. Users therefore have the
14. On February 19, 2024, the Contentious Chamber decided to maintain French as the language of the procedure, as the complaint was filed in French, and the website of the defendant against which the grievances are directed is in French. The complainant did not provide any other justification for changing the language for the continuation of the procedure. Moreover, given the time taken to communicate the administrative file to the parties, the Contentious Chamber decided to extend the deadlines for submitting conclusions. The new deadline for the defendant’s response is now set for March 25, 2024, the complainant’s reply for April 15, 2024, and the defendant’s rejoinder for May 6, 2024.


possibility of withdrawing their consent using a single button.
15. On March 25, 2024, the Contentious Chamber received the defendant’s response. The defendant’s additional and summary submissions are summarized in point 17.


102. The fact that the withdrawal of consent is not carried out in the same way
16. On April 15, 2024, the Contentious Chamber received the complainant's reply, which can be summarized as follows:


as for its collection is not a problem here, since otherwise the interests of
  - Regarding the admissibility and admissibility of the complaint:
    - Article 220, §2, 1° of the Law of July 30, 2018, should be disregarded as it violates Article 80.1 of the GDPR. The complainant argues that Article 26, §4 of the Special Law of January 6, 1989, on the Constitutional Court, does not apply since the DPA is not a judicial body, and therefore, it should not pose a preliminary question before disregarding the provision mentioned. Furthermore, even if Article 26, §4 of the Special Law were applicable, this would not prevent the provision from being disregarded due to the absolute primacy of European law. The complainant supports this with judgments from the Court of Justice of the European Union (CJEU).
    - The mandate is sufficiently precise as the terms of the mandate specify what noyb is authorized to do. Article 1984 of the Civil Code does not require more specificity than what is provided in this case.
    - The complaint is admissible as it was signed by the chairman of noyb’s board under Article 58 of the LCA. The complainant argues that the article does not require the complainant’s personal signature but allows a representative’s signature. Moreover, the absence of a signature is not grounds for inadmissibility or rejection under Article 60 of the LCA.
    - The complainant is validly represented by noyb under Article 80.1 of the GDPR, and the fact that the complainant interned at noyb does not affect this conclusion. The complainant references a CJEU judgment affirming valid representation by noyb despite a subordinate relationship.


users (and of the complainant more specifically) would themselves be affected.
---


103. Consequently, the Litigation Chamber decides to dismiss this complaint without further action.
Footnotes:


III. Corrective and provisional measures
1. The new internal regulations of the DPA, following the amendments by the Law of December 25, 2023, came into force on June 1, 2024. They apply only to complaints, mediation files, requests, inspections, and procedures initiated after this date.


104. Under Article 100 of the LCA, the Litigation Chamber has the power to:
---


1° dismiss the complaint;
### II. Motivation


2° order that there be no case to answer;
#### II.1. Regarding the Procedure


3° order a suspension of the decision;
23. During the hearing held on July 1, 2024, the defendant raised two preliminary remarks that must be addressed. The defendant brought to the attention of the Contentious Chamber that (i) a procedure with some similarities to the present case is pending before the Court of Markets. In that case, a settlement proposal was submitted to a data controller, which was unilaterally withdrawn by the Contentious Chamber. The data controller then appealed to the Court of Markets, contesting the unilateral withdrawal of the settlement proposal by the Contentious Chamber. The defendant thus asks whether it would be appropriate to suspend the present proceedings until the Court of Markets delivers its judgment. (ii) Furthermore, the defendant pointed out that the complainant previously worked as a lawyer at the law firm that represented the DPA before the Court of Markets in the aforementioned case. The defendant considers that this could suggest a potential conflict of interest or a possible breach of the principle of impartiality—both in its subjective and objective dimensions.


4° propose a transaction;
(i) Regarding the Remark Related to the Pending Procedure before the Court of Markets


5° issue warnings and reprimands;
24. As the Contentious Chamber stated during the hearing, the procedure pending before the Court of Markets is not comparable to the present case. While the procedure before the Court of Markets referred to by the defendant concerns a settlement proposal unilaterally withdrawn by the Contentious Chamber, which was contested by the party to whom the proposal was submitted, it should be noted that in the present case, the defendant refused the terms of the proposed settlement. When the Contentious Chamber informed the defendant that it would withdraw the proposal, the defendant did not object. Therefore, there is no longer a settlement proposal in the present case, and the procedure continues validly with a substantive examination of the file.


6° order compliance with the requests of the person concerned to exercise their rights
(ii) Regarding the Potential Conflict of Interest or Breach of the Principle of Impartiality


;
25. Although the principle of impartiality applies to administrative authorities, including the Contentious Chamber, it should be noted, according to established jurisprudence of the Council of State: "the general principle of impartiality must be applied to any active administrative body. It is sufficient that an appearance of partiality could have raised a legitimate doubt in the applicant's mind about the ability to address their case impartially. However, this principle only applies insofar as it aligns with the specific nature, and particularly the structure, of the active administration. Furthermore, the impartiality of a collegial body can only be challenged if, on the one hand, specific facts that cast doubt on one or more members of that body can be legally established and, on the other hand, if it is evident from the circumstances that the bias of that member(s) could influence the entire body. It is up to the person alleging that the authority has not acted with independence, impartiality, and care to provide evidence." 
  (C.E., November 30, 2022, 255.145, Lemaire and Loslever; see also C.E., January 19, 2022, 252.684, XXX).


7° order that the person concerned be informed of the security problem;
26. It is therefore up to the party alleging a breach of the principle of impartiality to provide evidence of specific facts that would indicate that the principle of impartiality has been violated.


8° order the freezing, limitation or temporary or permanent prohibition of the processing;
27. A distinction is made between objective and subjective impartiality.


9° order the processing to be brought into compliance;
28. The Contentious Chamber emphasizes, firstly, that the law firm in question was selected following a public procurement process (at a time not suspect), and must therefore respect the principles of equality, non-discrimination, transparency, and proportionality with regard to all bidders, and must be based on objective award criteria. Furthermore, the complainant acts as a concerned person, outside of any link with her former profession as a lawyer at the concerned law firm. As the defendant has not provided further evidence demonstrating that the Contentious Chamber has given the appearance of bias, the Contentious Chamber cannot conclude that it has breached the principle of objective impartiality.


10° order the rectification, restriction or erasure of data and the notification of
29. Furthermore, the Contentious Chamber notes that the defendant has not provided any evidence indicating that it may have acted with bias or intervened in the present proceedings in a manner that compromised the objectivity of the debates. In the end, the defendant has not provided proof of any concrete actions by the Contentious Chamber that would allow the conclusion that it acted with partiality.
these to the recipients of the data;


11° order the withdrawal of the accreditation of certification bodies;
30. Consequently, the Contentious Chamber considers that there is no risk of a conflict of interest in this case and that it has not breached the principle of impartiality, whether in its objective or subjective dimension.


12° impose periodic penalty payments;
#### II.2. Regarding the Admissibility and Receivability of the Complaint


13° impose administrative fines; Decision on the merits 131/2024 — 26/33
##### II.2.1. Regarding the Constitution of noyb


14° order the suspension of transborder data flows to another State or an
31. Article 80.1 of the GDPR states: "The data subject shall have the right to mandate a not-for-profit body, organization, or association, which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 and to exercise the right to receive compensation referred to in Article 82 where provided for by the law of the Member State."


international body;
32. Article 220, §2 of the LCA specifies: 
  "§ 2. In disputes provided for in paragraph 1, a body, organization, or non-profit association must:
  - 1° be properly constituted in accordance with Belgian law;
  - 2° have legal personality;
  - 3° have statutory objectives of public interest;
  - 4° have been active in the field of protecting the rights and freedoms of data subjects with regard to the protection of their personal data for at least three years."


15° forward the file to the Public Prosecutor's Office of the Brussels
33. The Contentious Chamber has previously expressed doubts about the compatibility of certain aspects of the Belgian provision with the GDPR.


King's Prosecutor, who shall inform him of the follow-up given to the file;
34. The primacy of European law requires the disregard of any national provision that cannot be interpreted in accordance with a European legal standard—such disregard being a duty for all state bodies, including judicial and administrative authorities tasked with applying European law within their respective competencies.


16° decide on a case-by-case basis to publish its decisions on the website of the
35. If there are reasons to believe that a law—understood within the meaning of Article 22 of the Constitution—violates "a fundamental right guaranteed in whole or in part similarly by a provision of Title II of the Constitution as well as by a provision of European law […]" it is up to the court before which this situation arises to refer a preliminary question to the Constitutional Court.


Data Protection Authority.
36. The CJEU has ruled that an incidental procedure for reviewing the constitutionality of national laws complies with Union law, provided that this procedure respects four conditions:
  - Other national courts remain free "to refer to the Court of Justice at any stage of the procedure, even after the incidental review procedure, any preliminary question they deem necessary";
  - Other national courts remain free "to adopt any measures necessary to ensure the provisional judicial protection of the rights conferred by the Union legal order";
  - Other national courts remain free "to disregard, following such an incidental procedure, the national legislative provision in question if they find it contrary to Union law";
  - "It is up to the referring court to verify whether the national legislation in question can be interpreted in accordance with these requirements of Union law."


III.1. Compliance order
37. The Contentious Chamber notes that the special legislator has limited the scope of Article 26, §4 of the Special Law to ordinary and administrative courts only.


105. The Litigation Chamber considers it appropriate to impose two compliance injunctions on the defendant,
38. The Contentious Chamber, however, is not part of the judiciary—it is an administrative authority.


based on the breaches noted.
39. Therefore, Article 26, §4 of the Special Law does not apply to the Contentious Chamber, and it neither has the obligation nor the possibility to refer a preliminary question to the Constitutional Court.


106. Injunction 1: the Litigation Chamber requires the defendant to add a button
40. Given that there is no other incidental procedure for constitutional review, the Contentious Chamber must directly ensure that it gives full effect to the European legal standards it must apply within its competence—namely, Article 80.1 of the GDPR in this case.


clearly allowing the refusal of the deposit of cookies with a single click, and this at the same level
41. Following what was stated in point 33, the Contentious Chamber asserts that Article 220, §2, 1° of the LCA contradicts the aforementioned provision of the GDPR as it restricts the scope of the latter, rendering them incompatible.


as the button allowing the acceptance of the deposit of cookies at each level of the
42. Consequently, Article 220, §2, 1° of the LCA must be disregarded.


cookie banner in which the button allowing the acceptance of the deposit of cookies appears.
##### II.2.2. Validity of the Mandate


107. Injunction 2: the Litigation Chamber requires the defendant to use colours and
43. Regarding the representation mandate, the Contentious Chamber notes that it includes the details of the principal and the agent, and the former mandates the latter to represent her before the DPA and to take any necessary actions to uphold her rights regarding the collection and processing of her data on the defendant’s website. The Contentious Chamber adds that, in the annexes to the complaint form, the mandate is titled as follows: "Exhibit 1 – Representation Agreement under Article 80(1) GDPR."


contrasts that are not manifestly misleading. The button clearly allowing the
44. Regarding this element, the Contentious Chamber cannot agree with the defendant's argument that noyb attempted to "cover up" the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand, noyb claims that this reference was already present at the time of signing. On the other hand, the Contentious Chamber points out that the validity of the mandate should be assessed at the time of the complaint’s filing. Therefore, it does not seem plausible that noyb sought to "cover up" the absence of a reference to Article 80.1 of the GDPR—since the absence would render the mandate invalid—considering it would have been enough to redo the mandate. Therefore, the mandate should be read in light of its title as an annex


refusal of the deposit of cookies must therefore be displayed at least
. Read in this way, it is clear that the mandate was concluded under Article 80.1 of the GDPR.


equivalent to the one allowing the acceptance of it. The Litigation Chamber specifies that the defendant has
45. Regarding the alleged contradictions in the mandate raised by the defendant, the Contentious Chamber recalls that it cannot interpret the mandate too restrictively. As an administrative authority, the Contentious Chamber oversees the correct application of the GDPR. In this capacity, it is authorized to impose one or several sanctions listed in Articles 95, §1, or 100, §1 of the LCA to protect the fundamental rights of data subjects. The mandate, as it appears in the file, allows for the identification of the parties to the contract, the data controller against whom the complainant addresses her grievances, the supervisory authority where the complaint is filed, and a reference to Article 80.1 of the GDPR under which the mandate was granted. These elements justify the actions that noyb undertakes on behalf of the complainant before the DPA. Imposing further conditions on the mandate would compromise the oversight responsibility of the Contentious Chamber and the rights of data subjects. The Contentious Chamber clarifies that the elements mentioned above should not be interpreted as setting any minimum threshold.


however the possibility of retaining the colours currently used in its cookie banner
46. Finally, in any case, the Contentious Chamber notes that Article 17 of the Judicial Code does not apply to the Contentious Chamber, as it is an administrative authority, as stated in point 38.


provided that it reverses the colour used for the button for refusing the
##### II.2.3. Lack of Signature on the Complaint


deposit of cookies with that for accepting them; it refers it in this regard to point
47. Article 58 of the LCA states: "Any person may submit a written, dated, and signed complaint or request to the Data Protection Authority."


94.
48. Article 60 of the same law stipulates that, in assessing the admissibility of complaints it receives, the SPL verifies that the complaint is "written in one of the national languages," "contains a statement of facts and the necessary details to identify the processing to which it relates," and that the complaint "falls within the competence of the Data Protection Authority."


108. As examples, the Litigation Chamber inserts below an illustration from its
49. Contrary to what noyb claims, these two provisions should not be read separately but rather together. Thus, the formal requirements prescribed by Article 58 of the LCA must also be taken into account when assessing admissibility under Article 60 of the same law.


Cookies checklist 28 and constituting good practice. However, the implementation of these
50. The Contentious Chamber notes that the complaint form was signed by the chairman of noyb's board of directors with the following mention: "For noyb."


injunctions is the sole responsibility of the defendant.
51. In this regard, the Belgian legislator specified that the signature must come from "the competent person in the matter," but not necessarily from the complainant. Therefore, it must be understood that at least the representative may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to mandate "a body, organization, or non-profit association […] to lodge a complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 [of the GDPR]."


28https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf. Decision on the merits 131/2024 — 27/33
52. As a legal entity, noyb must be represented by one of its members in the actions it takes. Accordingly, the chairman of noyb's board of directors signed the complaint form—in the exercise of this function, which authorizes him to take such actions.


109. Each of these two injunctions must be complied with no later than the 45th day following
53. It cannot be inferred from the mention "For noyb" that noyb acts as the complainant, as this note is precisely intended to engage noyb’s responsibility and not that of its chairman in his capacity as a natural person.


notification to the defendant of this decision. Within the same period, the defendant
### II.2.4. The Interest to Act


will communicate to the Litigation Chamber and to the plaintiff a document reflecting the
54. The Contentious Chamber acknowledges the content of its decision 22/2024; however, it is necessary to highlight the differences that distinguish the facts of the aforementioned decision from those in the present decision.


manner in which it has complied with the two injunctions issued.
55. Although the complainants share the fact of having interned at noyb and, in this context, consulted websites that subsequently motivated the filing of a complaint with the DPA in both decisions, it must be noted that in the facts examined in decision 22/2024, noyb had implemented a large-scale plan aimed at filing dozens of complaints against multiple data controllers with various supervisory authorities—including the DPA. Moreover, the complainant had explicitly acknowledged being assigned various files, including the defendant’s website from the aforementioned decision. These elements—along with others—led the Contentious Chamber to consider the mandate concluded between the complainant and noyb as fictitious at that time. However, such a conclusion cannot be drawn in the present case. The complainant—a French speaker—consulted the French-language website of the defendant based on a personal initiative, which does not fall within the framework of other coordinated noyb projects. In principle, there is nothing to prevent noyb from representing one of its employees or interns.


110. In the event of inaction – even apparent – after the 45th day following the notification to the
56. Furthermore, no link can be established between the present complaint and the complaints filed against the 15 Belgian websites mentioned in noyb’s July 2023 press release. Although there is indeed evidence of some coordination in the present case, it is not established that this coordination occurred before the complainant’s grievances emerged. In any event, the elements of the present case do not establish that noyb exerted any pressure on the complainant.


defendant of this decision, the Litigation Chamber shall notify the defendant.
57. Therefore, there is no basis for asserting that the mandate is fictitious.


As of this notification, the penalty payment is implemented. It will only end
58. In this case, the relationship between the complainant and noyb can be summarized as follows:


as of the notification of the Litigation Chamber by which the latter recognizes
  Relationship 
  Master 
  Intern 
  NOYB 
  -• -• -• 
  Absence of evidence 
  of instructions 
  \ 
  Complainant 
  Suffers violations 
  Files a complaint with the DPA


that the defendant has fully complied with the injunctions in this case.
59. The fact that noyb provided technical and legal assistance to the complainant does not alter this finding. On the contrary, this constitutes good practice that one could reasonably expect from an entity with which a person is interning.


III.2. Ancillary sanction: the penalty payment
60. Therefore, the complainant's interest to act does not need to be demonstrated, as she is a concerned person—her personal data having been processed by the defendant.


III.2.1. Preliminary considerations
### II.3. Regarding the Substance of the Case


111. The penalty payment is special in that it is fully conditional. The amount to be paid
61. As a preliminary point, the Contentious Chamber recalls that the right to the protection of personal data is a fundamental right guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union.


is indeed uncertain. The defendant first has a period of time to comply
62. With this in mind, all complaints should be examined, especially those concerning the consent of the data subject.


with or appeal the decision. Only in the event of non-compliance on its part
63. The GDPR indeed provides several lawful bases—which are recalled in point 73—among which is the consent of the data subject.


after a period of 45 days from notification of this decision will the penalty payment Decision on the merits 131/2024 — 28/33
64. Regarding the collection and granting of consent online, a binary reading cannot suffice. The Contentious Chamber understands that each situation must be examined on a case-by-case basis, based on the material modalities of the collection and granting of consent. Furthermore, the Contentious Chamber emphasizes that the collection and granting of online consent have certain particularities. The internet has significantly changed practices and occupies most citizens' time, especially young people. Thus, what could be termed a routine consent has emerged. Internet users navigate from website to website, from page to page, and are therefore confronted with numerous cookie banners. As a result, the warning effect of the cookie banner diminishes, and the data subjects may give their consent by default due to the fatigue thus caused. This issue is compounded when data controllers design cookie banners that encourage users to accept cookies.


be implemented. Consequently, the amount of the penalty payment is variable, and may even be zero,
65. These reasons compel the Contentious Chamber to examine the present case with the utmost sensitivity.


where applicable.
#### II.3.1. On the Interaction Between the GDPR and the LCA with the Guidelines


112. The penalty payment is thus distinguished from the administrative fine in that it constitutes an indirect
66. The Contentious Chamber addresses the arguments made by the defendant regarding Type 1 (see points 72 to 80, "On the absence of a 'Reject All' button at the first level of the cookie banner") and Type 2 (see points 81 to 95, "On the misleading use of button colors") violations, wherein the defendant claims that neither the GDPR nor the LCA require the implementation of a "Reject All" button at the first level of the cookie banner or the use of "buttons and characters of the same size, importance, and color." The defendant adds that the guidelines from the EDPB and supervisory authorities are not binding as they constitute soft law.


means of enforcement of the main sanction(s) in order to comply
67. Firstly, the Contentious Chamber recalls that the GDPR, as a European Regulation, is directly applicable in all Member States. As such, the GDPR has a general scope. It cannot be expected that the European legislator intended to define in detail the specific modalities of all practices related to this act when adopting this Regulation. On the contrary, it established general and abstract rules that must be adhered to by the entities concerned. Supervisory authorities, in particular, must apply these principles and rules to specific cases within the rapidly evolving digital society. It is in this context that the supervisory authorities must adopt appropriate and proportionate decisions. The decision-making practice of the authorities can—and must—evolve in light of legal and technological developments. The fact that an authority is required to adapt its decision-making practice does not constitute an obstacle to the imposition of sanctions, such as administrative fines.


with the law in force, whereas the administrative fine is of a punitive nature.
68. Similarly, when adopting the LCA, the Belgian legislator did not intend to define specific modalities for all practices related to this law.


The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine
69. In this regard, Article 70.1.e of the GDPR specifically delegates to the EDPB the task of "issuing guidelines, recommendations, and best practices" on any issue related to its application to promote consistent application. The importance of this consistency is also highlighted in Articles 57.1.g and 70.1.u of the GDPR. It should also be noted that Article 57.1.d of the GDPR assigns supervisory authorities the task of raising awareness among controllers and processors regarding their obligations under the GDPR.


are thus different both in their nature and in the objectives they pursue.
70. Therefore, while it is accurate to state that the guidelines published by the EDPB do not have binding force as they constitute soft law, it would be incorrect to deny them any legal effect. This denial ultimately, and implicitly, challenges the authority of the EDPB and supervisory authorities, which possess the appropriate expertise to carry out their assigned tasks, as reiterated in the previous paragraph—although this does not mean that parties to a case cannot contest the legal interpretation of the GDPR by the EDPB or a supervisory authority.


113. In a judgment of 19 February 2020, the Market Court considered the following:
71. In conclusion, the Contentious Chamber recalls that the guidelines of the EDPB and supervisory authorities clarify the provisions of the GDPR, but it is the violation of these provisions—applied concretely to a specific case—that justifies the imposition of corrective measures or sanctions.


“Before a sanction is imposed on him, the offender must be informed
#### II.3.2. On the Absence of a "Reject All" Button at the First Level of the Cookie Banner


of the nature of the sanction envisaged and its amount (in the case where a
72. Article 4.11 of the GDPR defines consent as "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." Recital 42 of the GDPR specifies that "consent should not be regarded as freely given if the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without detriment."


fine is envisaged). The offender must be warned (in order to avoid
73. Article 5.1.a) of the GDPR states that personal data must be processed "lawfully, fairly, and transparently." For processing to be lawful, it must be based on the consent of the data subject or another lawful basis listed in Article 6.1 of the GDPR.


unnecessary sanctions) and have the opportunity to defend himself on the amount
74. Applying these provisions, it must be concluded that for every cookie banner, it should be as easy to consent to cookies as to refuse them. Therefore, both the button allowing acceptance of cookies and the button allowing refusal must appear together at each level of the cookie banner where the acceptance button appears. Otherwise, the consent obtained cannot be considered freely and unambiguously given.


of the fine proposed by the Litigation Chamber before the sanction is
75. The Contentious Chamber notes that in the present case, by not presenting the "Accept All" and "Reject All" buttons at the first level of the cookie banner—the first button being the only one present—the defendant not only makes it less visible to the data subjects that they can refuse cookies, but also makes refusal materially more difficult as more actions are required. In this sense, the data subjects—like the complainant—are encouraged to accept cookies.


actually imposed and implemented”.
76. The EDPB considers that an incentive is not necessarily contrary to the GDPR. It cites as an example a situation where a controller offering general discounts on clothing and fashion accessories asks for the data subject's consent to place cookies to better target their preferences. The incentive in this case is permitted as the data subject would not suffer any detriment if they were to withdraw their consent.


114. Following this judgment, the President of the Litigation Division then considered that sending
77. In the present case, however, the incentive cannot be considered permitted or valid. Unlike the incentive presented in the example above, this one offers no advantage to the data subject. Free choice implies that the button allowing the refusal of all cookies should be offered at least on an equal level with the button allowing acceptance of cookies. Additionally, it should be noted that the cookie banner forces users to make a choice, constituting a problematic "cookie wall" practice. Consequently, the consent given for cookies on the defendant's website was not freely given.


a sanction form was also required when the Litigation Division was considering
78. Moreover, the consent given by the data subject cannot be considered unambiguous. Indeed, by not informing the complainant


imposing a penalty payment.
of the option to refuse cookies, it cannot be considered that the complainant gave a clear affirmative action for the cookies' placement.


115. The position of the Litigation Division in this regard is now completely different, and considers
79. The findings established in the paragraphs above, concerning the first level of the cookie banner, are not altered by the fact that at other levels of the defendant's website, the "Accept All" and "Reject All" buttons are presented together. Requiring a controller to make it as easy to refuse cookies as to accept them is a concrete application of the validity conditions for consent as defined by Article 6.1.a) of the GDPR. The validity of consent must be assessed at the time when consent is effectively given—or not. Given that the complainant consented to cookies at the first level of the cookie banner, the validity of the consent collected must be assessed only at this level. This is especially true as, by definition, data subjects are first confronted with the first level of the cookie banner. Furthermore, the Contentious Chamber recalls that it is up to the controller to demonstrate that consent was obtained from the data subject under Article 7.1 of the GDPR.


that it should not inform the defendant of its intention to impose a penalty
80. In conclusion, the Contentious Chamber finds that the defendant violated Article 6.1.a) of the GDPR, as well as Article 10/2 of the LCA.


payment, for the following two reasons:
### II.3.3. On the Misleading Use of Button Colors


a) The obligation to send a sanction form to the defendant before the
81. Regarding the defendant’s first argument that neither the GDPR nor the LCA requires controllers to "use buttons and characters of identical size, importance, and color," the Contentious Chamber finds that the defendant is mistaken in thinking that the complainant supports this idea. The grievance raised in this regard claims that the cookie banner is designed in a way that encourages data subjects to click on the "Accept and Close" button, making the consent obtained not compliant with the GDPR requirements. The Contentious Chamber refers the parties to points 66 to 80.


decision is taken is based on the case law of the Market Court.
82. The Contentious Chamber observes that the defendant's cookie banner (see below) displays three colors. The text uses white font, and the banner background is dark blue. The "Learn More" button, which ultimately allows users to refuse cookies, is the same blue as the background but is separated by white borders. The "Accept and Close" button is in a striking orange color.


It is therefore an obligation in addition to the existing legal framework. This step, which
83. As stated in point 72, consent must be given freely, specifically, informed, and unambiguously. Following what was developed in point 71, requiring a controller to use button colors that do not clearly direct users to consent to the placement of cookies is necessary to ensure that the consent is free and unambiguous as defined under Article 6.1 of the GDPR.


is added to the Litigation Division’s procedure, makes it more cumbersome and stretches it out over
84. In this case, the Contentious Chamber believes that the color scheme used by the defendant clearly encourages users to click on the "Accept and Close" button, as this button stands out prominently from the rest of the cookie banner, attracting users’ attention. Therefore, the consent obtained from the complainant by the defendant concerning the placement of cookies is invalid.


time. While the Litigation Chamber recognises all the advantages, it nevertheless notes that this strictly national obligation may hinder the consistent application of the GDPR between the various supervisory authorities. In this way, the Litigation Chamber considers that this obligation should be interpreted restrictively, favouring an interpretation that does not contradict
  ```
  RTL info
  With your consent, our partners and we use cookies and similar technologies to store and access personal information like your visit on this site. You can withdraw your consent at any time by clicking on "Learn More" or in our cookie policy on this site.
  With our partners, we process the following data based on your consent:
  Essential cookies, precise geolocation data, and device identification analysis, personalized ads and content, ad and content performance measurement, audience data, and product development, social media, storage, and access to information on a device.
 
  LEARN MORE - ACCEPT & CLOSE
  ```


29
85. Firstly, the European Court of Human Rights defines artistic freedom of expression as "allowing participation in the public exchange of cultural, political, and social information and ideas of all kinds" (see, mutatis mutandis, the judgment Müller and Others v. Switzerland of May 24, 1988, Series A No. 133, p. 19, § 27). Those who create, interpret, disseminate, or display a work of art contribute to the exchange of ideas and opinions essential to a democratic society.
Free translation of the judgment of the Brussels Court of Appeal (Chamber 19A, Market Court section) of 19 February 2020,
2019/AR/1600. The original version of the translated extract follows as follows: "The inbreukpleger must voordat hem a sanctie wordt
opgelegd kennis krijgen van de aard van sanctie die overwogen wordt en van de omvang ervan (in geval een geldboete
overwogen wordt). De inbreukpleger moet gewaarschuwd worden (met als doel het nodeloos sanctioneren te vermijden) en de gelegenheid krijgenzich teverdedigen omtrent de doordeGeschillenkamer voorgesteldebedragenvan van deboete, voordat de sanctie effectiveef wordt opgelegd en uitgevoerd. ".
30 See the On-call Policy of the Litigation Chamber of December 23, 2020, https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf.                                                                          Decision on the merits 131/2024 — 29/33 with the objectives that the legislator pursued in conferring their powers to the supervisory authorities;


86. The Contentious Chamber also recalls that the right to data protection is a fundamental right. The European legislator implemented this right, notably in the GDPR and the ePrivacy Directive. The choices made by the legislator, including the consent conditions stipulated in the legislative texts, indicate the threshold of requirements that controllers must meet before they can rely on this consent for cookie placement and subsequent processing (Article 6.1.a of the GDPR and Article 10/2 of the LCA). Controllers have some discretion in implementing the conditions provided in the legislative bases mentioned above; however, they cannot choose the conditions of consent. It is the DPA's duty to enforce the application of the GDPR and the ePrivacy Directive.


          (b) As explained in point 112, the nature of the penalty payment differs
87. Regarding the artistic freedom of expression invoked by the defendant, the Contentious Chamber notes that Article 85.1 of the GDPR provides: "Member States shall reconcile, by law, the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic, or literary expression."


fundamentally from that of the administrative fine. The penalty payment is in fact an
88. Recital 153 of the same Regulation specifies that such reconciliation should take place when necessary. It also states that notions related to this freedom should be interpreted broadly, considering the importance of the right to freedom of expression.


ancillary sanction, also intended to encourage the defendant to comply with the
89. The Belgian legislator has provided for exceptions in Article 24 of the LCA for the application of certain provisions of the GDPR for processing carried out for journalistic purposes and for academic, artistic, or literary expression, as follows:


main sanction. In this sense, it is widely recognised in legal doctrine that
  - § 1. Processing of personal data for journalistic purposes means the preparation, collection, writing, production, dissemination, or archiving for the purpose of informing the public using any media where the controller adheres to journalistic ethics.
  - § 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20, and 21.1 of the GDPR do not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression.
  - § 3. Articles 30.4, 31, 33, and 36 of the GDPR do not apply to processing for journalistic purposes and for academic, artistic, or literary expression when their application would compromise a planned publication or constitute a prior control measure before publishing an article.
  - § 4. Articles 44 to 50 of the GDPR do not apply to the transfer of personal data carried out for journalistic purposes and for academic, artistic, or literary expression to third countries or international organizations to the extent necessary to reconcile the right to data protection with freedom of expression and information.
  - § 5. Article 58 of the GDPR does not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression when its application would provide indications on information sources or constitute a prior control measure before publishing an article.


the penalty payment is not of a criminal nature. In conclusion, the choice to impose a
90. Firstly, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not exempt for processing carried out for the purposes mentioned in point 87.


penalty payment is a matter for the strictest discretion of the Litigation Chamber, and
91. The Contentious Chamber also notes from the report on the work undertaken by the Cookie Banner TaskForce that no general model for cookie banners can be imposed on controllers regarding colors [and contrasts]. The same report explains that the validity of the cookie banner must be assessed case by case to verify that the colors or contrasts used do not clearly direct users towards a choice inconsistent with their personal data sharing preferences.


therefore cannot be contested by a party to the case. The Belgian legislator
92. This means that controllers, whose compliance with the GDPR must be assessed on a case-by-case basis, have considerable discretion in choosing colors [and contrasts] for their cookie banners. They are fully allowed to be creative, reflecting their brand identity. This discretion also allows controllers to comply with GDPR requirements while respecting principles of inclusive design, for example.


deliberately chose to confer this power to impose penalty payments on the
93. Moreover, the Contentious Chamber emphasizes that the defendant could keep the same colors used in its cookie banner, provided it swaps the color used for the acceptance button with that used for the refusal button. As explained in point 83, controllers must ensure that the color used does not clearly encourage users to consent to cookie placement. However, nothing prevents controllers from using a button color that similarly encourages users to refuse cookies.


APD; the will of the Belgian legislator must therefore be recognised and
94. Ultimately, the defendant wrongly argues that the requirements governing the choice of colors used in its cookie banner infringe its artistic freedom of expression and the coherent and aesthetically pleasing experience it wishes to offer its users, including visually impaired persons.


respected.
95. For the reasons stated above, the Contentious Chamber concludes that the defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the LCA.


116. Furthermore, the Litigation Division recalls that its decisions have no precedent value. The Litigation Division’s policies, for their part, have no binding value. The Litigation Division recognises that the publication of these policies
### II.3.4. On the Methods of Withdrawing Consent


establishes a certain trust with the public, and in any event strives to communicate
96. Article 7.3 of the GDPR states: "The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before giving consent. It shall be as easy to withdraw as to give consent."


transparently with the public. However, this cannot constitute
97. The EDPB specifies that a violation of Article 7.3 of the GDPR results in the non-compliance of the controller's consent mechanism.


an obstacle to the development of the Litigation Division’s practices and the
98. The report on the work undertaken by the Cookie Banner Taskforce specifies that no specific consent withdrawal model, including the solution of a floating banner or button (or "hovering solution"), can be imposed on controllers. The same report further states that a link placed in a visible and standardized location is an appropriate solution to comply with Article 7.3 of the GDPR.


legal framework implemented, which are essential.
99. The Contentious Chamber adds that the duty to allow data subjects to withdraw their consent as easily as they give it must be balanced with the convenience of use for data subjects. This duty should not make the browsing experience on the controller’s website burdensome for users—otherwise, it would be unreasonable.


117. In light of the reasons set out above, the Litigation Division exercises its prerogative
100. In this case, the Contentious Chamber observes that the defendant's website provides users with a "Manage Cookies" button at the bottom of each navigation page. The Contentious Chamber finds that this button is reasonably accessible to users.


to impose periodic penalty payments on the defendant in this case, and does not consider
101. Moreover, within the options presented in the "Manage Cookies" button, there are "Accept All" and "Reject All" buttons. Users can thus withdraw their consent with a single button click.


that it must inform the defendant in advance by means of a penalty form.
102. The fact that the withdrawal process is not identical to the method used to collect consent is not problematic here, as otherwise, the interests of users (and specifically the complainant) would be affected.


III.2.2. Practical arrangements for the penalty payment
103. Consequently, the Contentious Chamber decides to dismiss this grievance.


118. In order to give the defendant the time necessary to comply with the injunctions
### III. Corrective and Provisional Measures


issued in this decision, the penalty payment will not be implemented directly
104. Under Article 100 of the LCA, the Contentious Chamber has the authority to:


following notification of this decision to the defendant.
1. Dismiss the complaint;
2. Order a dismissal of proceedings;
3. Pronounce a suspension of the ruling;
4. Propose a settlement;
5. Issue warnings and reprimands;
6. Order compliance with the data subject's requests to exercise their rights;
7. Order the data subject to be informed of the security issue;
8. Order the freezing, limitation, or temporary or permanent prohibition of processing;
9. Order the processing to be brought into compliance;
10. Order the rectification, restriction, or erasure of data and the notification of such actions to the data recipients;
11. Revoke the certification of certification bodies;
12. Impose penalties;
13. Impose administrative fines;
14. Order the suspension of cross-border data flows to another state or international organization;
15. Transmit the case file to the prosecutor’s office of the Public Prosecutor of Brussels, who will inform them of the follow-up;
16. Decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority.


31
### III.1. Compliance Order
K. WAGNER, Dwangsom, Brussels, Story-Scientia, 2003, §7. Extract in the original language: “Zij [de dwangsom] is as prikkel tot
nakoming nooit bedoeld om daadwerkelijk te worden verbeurd…”. Free translation as follows: “It [the penalty payment] was never
intended to, in that it constitutes an incentive to performance…”. The Litigation Chamber specifies here that although
the penalty payment referred to in the aforementioned work refers to that used in civil law, and that it is therefore to be distinguished from the administrative penalty payment referred to by the LCA, it nevertheless considers it relevant to refer to it in order to better legally frame
the administrative penalty payment referred to by the LCA.


32Ibid., §20.
105. The Contentious Chamber deems it appropriate to impose two compliance orders on the defendant, based on the identified breaches.
33
In this sense, see, mutatis mutandisAGNER, op. cit., §.6. Extract in the original language: “Het doel van de dwangsom is de
lechtstreekse uitvoering van de verbintenissen te waarborgen . . .”. Free translation as follows: “The penalty payment aims
to ensure the execution of obligations…”. Decision on the merits 131/2024 — 30/33


119. In this case, the Litigation Chamber considers that a period of 45 days from the
106. Order 1: The Contentious Chamber requires the defendant to add a button that clearly allows the refusal of cookie placement with a single click, at the same level as the button allowing acceptance of cookies, at each level of the cookie banner where the button for accepting cookies is present.


notification of this decision is sufficient to allow the defendant to comply
107. Order 2: The Contentious Chamber requires the defendant to use colors and contrasts that are not clearly misleading. The button allowing the refusal of cookies must be displayed at least as prominently as the acceptance button. The Contentious Chamber specifies that the defendant may retain the current colors used in the cookie banner, provided it swaps the color used for the refusal button with the acceptance button; it refers to point 94 in this regard.


with the said injunctions.
108. As examples, the Contentious Chamber includes an illustration from its [Cookie Checklist](https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf) below as a good practice. However, the implementation of these orders is the sole responsibility of the defendant.


120. The period runs from the day on which the defendant receives the
109. Each of these two orders must be satisfied no later than the 45th day following the notification of this decision to the defendant. Within the same period, the defendant must submit a document to the Contentious Chamber and the complainant reflecting how it has complied with the two orders issued.


registered letter notifying it of this decision or from the day of expiry of the period during which the
110. In case of non-compliance—even apparent—beyond the 45th day following the notification of this decision, the Contentious Chamber will notify the defendant. From the date of this notification, the penalty will be enforced. It will only cease once the Contentious Chamber recognizes that the defendant has fully complied with the orders.


defendant is, where applicable, required to collect the said registered
### III.2. Accessory Sanction: The Penalty


letter from the post office.
#### III.2.1. Preliminary Considerations


121. The day after the expiry of this period, the Litigation Chamber notifies the defendant:
111. The penalty is fully conditional. The amount payable is uncertain. The defendant initially has a period to comply or to appeal the decision. It is only in the event of non-compliance after a 45-day period from the notification of this decision that the penalty will be enforced. Therefore, the amount of the penalty is variable and may even be zero, if applicable.


1) That the latter has fully complied with the injunctions issued in
112. The penalty differs from an administrative fine as it serves as an indirect means of enforcing the primary sanction(s) to achieve compliance with applicable law, while an administrative fine has a punitive character. The penalty thus also has an accessory nature. The penalty and the administrative fine differ both in their nature and the objectives they pursue.


this decision; or
113. In a judgment of February 19, 2020, the Court of Markets stated: 
  "Before a sanction is imposed, the offender must be informed of the nature of the proposed sanction and its amount (in the case where a fine is envisaged). The offender must be warned (to avoid unnecessary sanctions) and given the opportunity to defend the amount of the fine proposed by the Contentious Chamber before the sanction is effectively imposed and enforced."


2) That the defendant has partially complied with the injunctions issued in
114. Following this judgment, the President of the Contentious Chamber considered that issuing a sanction form was also necessary when the Contentious Chamber intended to impose a penalty.


this decision; or
115. The Contentious Chamber's position today is different, considering that it should not inform the defendant of its intention to impose a penalty for the following two reasons:


3) That the defendant has not complied with the injunctions issued in
  a) The obligation to send a sanction form to the defendant before the decision originates from the jurisprudence of the Court of Markets. It is an obligation that adds to the existing legal framework. This step in the Contentious Chamber’s procedure makes it heavier and more time-consuming. While the Contentious Chamber acknowledges all the benefits of this step, it notes that this strictly national obligation can hinder the consistent application of the GDPR among different supervisory authorities. The Contentious Chamber thus considers that this obligation should be interpreted restrictively, favoring an interpretation that does not conflict with the objectives pursued by the legislator in granting powers to supervisory authorities.


this decision.
  b) As explained in point 112, the nature of the penalty differs fundamentally from that of an administrative fine. The penalty is an accessory sanction, aimed at encouraging the defendant to comply with the primary sanction. In this sense, it is widely recognized in legal doctrine that the penalty is not punitive in nature. In conclusion, the decision to impose a penalty is at the strict discretion of the Contentious Chamber and cannot be contested by a party to the case. The Belgian legislator has deliberately chosen to grant this competence to impose penalties to the DPA; the intention of the Belgian legislator must be acknowledged and respected.


The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as this notification
116. The Contentious Chamber reminds that its decisions do not have precedent value. The policies of the Contentious Chamber are not binding. The Contentious Chamber recognizes that publishing these policies establishes a certain level of trust with the public and strives to communicate transparently with the public. However, this cannot constitute an obstacle to the development of the Contentious Chamber's practices and the legal framework implemented, which are essential.


in the second and third cases.
117. In light of the reasons mentioned above, the Contentious Chamber exercises its prerogative to impose penalties on the defendant in this case and does not consider that it must inform the defendant beforehand by means of a sanction form.


122. The amount of the penalty payments is as follows:
#### III.2.2. Practical Modalities of the Penalty


a) Injunction 1: the defendant must pay EUR 20,000 per day of delay from the day
118. To allow the defendant sufficient time to comply with the orders issued in this decision, the penalty will not be enforced immediately after the notification of this decision to the defendant.


on which the Litigation Chamber notifies it that it has partially or not at all
119. In this case, the Contentious Chamber considers that a period of 45 days from the notification of this decision is sufficient for the defendant to comply with the said orders.


complied with the injunctions issued in this decision;
120. The period begins on the day the defendant receives the registered letter notifying them of this decision or on the day the period expires for the defendant to collect the registered letter from the post office, if applicable.


b) Injunction 2: the defendant must pay EUR 20,000 per day of delay from the day
121. The day after this period expires, the Contentious Chamber notifies the defendant:


on which the Litigation Chamber notifies it that it has partially or not at all
  1) That they have fully complied with the orders issued in this decision; or
  2) That they have partially complied with the orders issued in this decision; or
  3) That they have not complied with the orders issued in this decision.


complied with the injunctions issued in this decision.
  The Contentious Chamber initiates the enforcement of the penalty on the same day of this notification in the second and third scenarios.


If the defendant fails to comply with both injunctions, it must then pay
122. The penalty amounts are as follows:


EUR 40,000 per day of delay from the day on which the Litigation Chamber notifies it that it
  a) Order 1: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision;
  b) Order 2: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision.


has partially or not at all complied with the injunctions issued in this
  If the defendant fails to satisfy both orders, they must then pay EUR 40,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision.


decision.
123. The Contentious Chamber reiterates, as stated in point 112, that the penalty does not have a punitive character. Each order is accompanied by a penalty to ensure its proper execution. The penalty amounts are reasonable in view of the harm caused by the defendant to the complainant’s rights, and to users more generally, as well as considering the defendant's financial capacity and the benefit they may derive from non-compliance with the orders.


123. The Litigation Chamber recalls, as it did in point 112, that the penalty payment is
124. If the defendant considers that full compliance with the orders is impossible within the prescribed period despite all reasonable efforts, they may submit a motivated request for an extension to the Contentious Chamber within 45 days following the notification of this decision.


not punitive in nature. The injunctions are each accompanied by a penalty payment in order to
125. The penalty is daily and cannot exceed a maximum amount of EUR 2,000,000.


ensure their proper execution. The amount of the penalty payments is reasonable in view of
126. The practical modalities of the penalty can be schematized as follows:


the infringement that the defendant has caused to the rights of the complainant, and of
  - Receipt of the compliance notification: partial or null compliance – initiation of the penalty EUR 20,000 per day per infraction


users more generally, but also in view of the financial capacity 34 of the defendant and the
127. Given the importance of transparency concerning the decision-making process of the Contentious Chamber, this decision is published on the Data Protection Authority’s website.


benefit that it can derive from the non-execution of the injunctions in question.
128. Considering that the defendant is a major player in the television and radio services sector, and that the personal data processing carried out by the defendant is conducted on a national scale, the Contentious Chamber believes that the defendant’s identity must be known in this decision. This is also consistent with the position already taken by the Contentious Chamber in similar cases involving media groups.


34During the 2023 tax year, the defendant achieved a turnover of EUR 225,063,613. See in this regard
129. Knowing the defendant’s identity is also important to better understand the procedure followed in this case. Noyb has revealed the circumstances of this procedure on its website. Therefore, it is appropriate to detail transparently the differences in the examination of the present complaint compared to other complaints filed by complainants represented by noyb.
https://consult.cbso.nbb.be/consult-enterprise. Decision on the merits 131/2024 — 33/33


36
+--------------------------------------------------------------------------------+
filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or
| FOR THESE REASONS,                                                            |
|                                                                                |
| The Contentious Chamber of the Data Protection Authority decides, after        |
| deliberation:                                                                  |
|                                                                                |
| In accordance with Article 100, §1, 9° of the LCA, to order the defendant to  |
| add a button that clearly allows users to refuse the placement of cookies with |
| a single click, at each level of the cookie banner where there is a button    |
| allowing the acceptance of cookies with a single click, in compliance with    |
| Article 6 of the GDPR and Article 10/2 of the LCA, and to provide both the    |
| complainant and the Contentious Chamber with documentation on the measures    |
| taken to comply with this order (Injunction 1). Furthermore, the Contentious  |
| Chamber requires the defendant to use colors and contrasts that are not        |
| manifestly misleading. The button clearly allowing the refusal of cookies must |
| be displayed at least as prominently as the acceptance button (Injunction 2);  |
|                                                                                |
| In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 1  |
| with a penalty. The defendant must pay 20,000 EUR per day of delay from the    |
| day the Contentious Chamber notifies that it has partially or not at all      |
| complied with the orders issued in this decision;                              |
|                                                                                |
| In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 2  |
| with a penalty. The defendant must pay 20,000 EUR per day of delay from the    |
| day the Contentious Chamber notifies that it has partially or not at all      |
| complied with the orders issued in this decision;                              |
|                                                                                |
| In accordance with Article 100, §1, 1° of the LCA, to dismiss the third        |
| grievance related to the modalities for withdrawing consent.                  |
+--------------------------------------------------------------------------------+


via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).
In accordance with Article 108, § 1 of the LCA, an appeal against this decision can be lodged within thirty days from its notification, with the Court of Market (Court of Appeal of Brussels), naming the Data Protection Authority as the defendant. Such an appeal can be submitted by means of an interlocutory application, which must contain the information enumerated in Article 1034ter of the Judicial Code. The interlocutory application must be:


(sé). Hielke H IJMANS
1. The indication of the day, month, and year;
2. The name, first name, and address of the applicant, as well as, if applicable, their status and national registration number or company number;
3. The name, first name, address, and, if applicable, the status of the person to be summoned;
4. The subject and a summary statement of the grounds for the claim;
5. The indication of the judge who is seized of the request;
6. The signature of the applicant or their lawyer.


President of the Litigation Chamber
The application must be filed at the registry of the Court of Market in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).


36The application, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by registered letter
(signed) Hielke HIJMANS 
to the clerk of the court or filed with the registry.
President of the Contentious Chamber
</pre>
</pre>

Latest revision as of 11:39, 21 October 2024

APD/GBA - 131/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 5(3) ePrivacy Directive 2002/58/EC
Art. 10/2 Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel
Type: Complaint
Outcome: Partly Upheld
Started: 19.07.2023
Decided: 11.10.2024
Published:
Fine: n/a
Parties: RTL Belgium SA
National Case Number/Name: 131/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD-GBA (in FR)
Initial Contributor: fb

The DPA reprimanded a media company for failing to implement an option to reject cookies on the first layer of the cookie banner on one of its websites. Also, the option to accept all cookies was unlawfully highlighted in a catchy colour.

English Summary

Facts

On 10 February 2023 the data subject, a trainee working at noyb – European Center for Digital Rights, visited the website of the controller, a Belgian media company.

The data subject noticed that the cookie banner of this website had an “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under Article 80(1) GDPR, she mandated noyb to file a complaint with the DPA on her behalf.

More specifically, the data subject pointed out the following violations:


First of all, the controller argued that noyb cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.

Furthermore, the controller noted that the GDPR does not require websites to have a “Reject all” button, nor the “Accept” button to have a specific colour.

Holding

On the representation agreement under Article 80(1) GDPR

First, the DPA held that noyb can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under Article 80(1) GDPR.

Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under Article 80 GDPR can represent one of its employees or volunteers.

Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.

On the merits

On the merits, the DPA noted that, according to Article 4(11) GDPR, consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.

Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of Article 6(1)(a) GDPR and of Article 10/2 Loi-cadre.

As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of Articles 5(1)(a) and 6(1)(a) GDPR and Article 10/2 Loi-cadre.

Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by Article 7(3) GDPR and, therefore, rejected this point of the complaint.

On these grounds, the DPA reprimanded the controller and ordered it to implement a GDPR-compliant cookie banner.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

# Contentious Chamber  
Decision on the Merits 131/2024  
Date: October 11, 2024  
Case Number: DOS-2023-03283  
Subject: Complaint regarding the cookie banner on RTL Belgium's website  

The Contentious Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, President, and Messrs Christophe Boeraeve and Jelle Stassijns, members;

Considering:

- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR";
- The Law of December 3, 2017, establishing the Data Protection Authority (hereinafter "LCA");
- The Internal Regulations approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;
- The documents in the file;

Has made the following decision regarding:

- Complainant: X, represented by noyb – European Center for Digital Rights, located at Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under the company number ZVR 1354838270, hereinafter "the complainant".
- Defendant: RTL Belgium, with its registered office at Avenue Jacques Georgin, 2 – 1030 Schaerbeek, registered under the company number 0428.201.847, represented by Laurence Vandenbrouck, hereinafter "the defendant".

1. On July 19, 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. The Contentious Chamber notes that the complaint form is dated July 18, 2023; however, it was submitted to the DPA during the night of July 18 to 19, 2023. Therefore, the latter date should be retained as the formal filing date of the complaint.

2. The subject of the complaint concerns several aspects related to the cookie banner on the defendant's website, which allegedly contravene the principles of the GDPR and the LCA.

3. On February 10, 2023, the complainant visited the defendant's website as part of a project initiated with a colleague during her internship at noyb. She explained that she took this initiative to verify if certain websites, including that of the defendant, belonging to major Belgian media groups that had previously entered into transactions with the DPA, complied with the GDPR. During this visit, the complainant and her colleague identified potential GDPR violations. Following this observation, the complainant created a HAR file to document these potential violations. In the meantime, she mandated noyb, mainly to obtain technical assistance, as she was unable to prepare the HAR file herself. Subsequently, the complainant prepared a complaint, the grievances of which, identical to the arguments raised in her conclusions, will be developed in point 16. Within the scope of her mandate, noyb reviewed and corrected the complaint prepared by the complainant. It should be noted that there is some ambiguity in the complainant's statements regarding the preparation of the complaint, as she also mentioned that noyb had prepared the complaint, and that she had only written part of it and reviewed the rest.

4. On August 4, 2023, the First-Line Service (hereinafter "SPL") requested noyb to provide information on the complainant's interest in acting.

5. On August 25, 2023, the SPL declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA.

6. On September 1, 2023, noyb responded to the SPL that the complainant demonstrates an interest in acting, as she is a concerned person whose personal data was processed after she consented to the deposit of cookies on the defendant's website. Since the processing of these data is considered unlawful by both her and noyb, the complainant believes her rights have been affected. In this regard, she relies on annexes. In any event, noyb states that demonstrating an interest in acting on the complainant’s behalf is not a condition for the admissibility of the complaint.

7. On October 20, 2023, the Contentious Chamber proposed a settlement – previously communicated to the complainant – to the defendant.

8. On November 27, 2023, the defendant did not consider the terms of the settlement acceptable and, therefore, requested a re-evaluation. However, it did not oppose a new settlement proposal.

9. On December 1, 2023, the Contentious Chamber replied that it would withdraw the settlement proposal unless decisive elements were presented before December 6, 2023.

10. On December 18, 2023, the Contentious Chamber formally withdrew the settlement proposal.

11. On February 5, 2024, the Contentious Chamber decided, under Article 95, §1, 1° and Article 98 of the LCA, that the case could be examined on the merits. On that date, the concerned parties were informed by registered mail of the provisions as outlined in Article 95, §2 and Article 98 of the LCA. They were also informed, under Article 99 of the LCA, of the deadlines for submitting their conclusions. The deadline for the defendant’s response was set for March 18, 2024, the complainant’s reply for April 8, 2024, and the defendant’s rejoinder for April 29, 2024.

12. On February 8, 2024, the defendant accepted electronic communication for all case-related matters and expressed its intention to exercise the option to be heard, in accordance with Article 98 of the LCA. It also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024.

13. On February 9, 2024, the complainant agreed to receive all communications electronically and also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024. She also requested that the procedure continue in Dutch.

14. On February 19, 2024, the Contentious Chamber decided to maintain French as the language of the procedure, as the complaint was filed in French, and the website of the defendant against which the grievances are directed is in French. The complainant did not provide any other justification for changing the language for the continuation of the procedure. Moreover, given the time taken to communicate the administrative file to the parties, the Contentious Chamber decided to extend the deadlines for submitting conclusions. The new deadline for the defendant’s response is now set for March 25, 2024, the complainant’s reply for April 15, 2024, and the defendant’s rejoinder for May 6, 2024.

15. On March 25, 2024, the Contentious Chamber received the defendant’s response. The defendant’s additional and summary submissions are summarized in point 17.

16. On April 15, 2024, the Contentious Chamber received the complainant's reply, which can be summarized as follows:

   - Regarding the admissibility and admissibility of the complaint:
     - Article 220, §2, 1° of the Law of July 30, 2018, should be disregarded as it violates Article 80.1 of the GDPR. The complainant argues that Article 26, §4 of the Special Law of January 6, 1989, on the Constitutional Court, does not apply since the DPA is not a judicial body, and therefore, it should not pose a preliminary question before disregarding the provision mentioned. Furthermore, even if Article 26, §4 of the Special Law were applicable, this would not prevent the provision from being disregarded due to the absolute primacy of European law. The complainant supports this with judgments from the Court of Justice of the European Union (CJEU).
     - The mandate is sufficiently precise as the terms of the mandate specify what noyb is authorized to do. Article 1984 of the Civil Code does not require more specificity than what is provided in this case.
     - The complaint is admissible as it was signed by the chairman of noyb’s board under Article 58 of the LCA. The complainant argues that the article does not require the complainant’s personal signature but allows a representative’s signature. Moreover, the absence of a signature is not grounds for inadmissibility or rejection under Article 60 of the LCA.
     - The complainant is validly represented by noyb under Article 80.1 of the GDPR, and the fact that the complainant interned at noyb does not affect this conclusion. The complainant references a CJEU judgment affirming valid representation by noyb despite a subordinate relationship.

---

Footnotes:

1. The new internal regulations of the DPA, following the amendments by the Law of December 25, 2023, came into force on June 1, 2024. They apply only to complaints, mediation files, requests, inspections, and procedures initiated after this date.

---

### II. Motivation

#### II.1. Regarding the Procedure

23. During the hearing held on July 1, 2024, the defendant raised two preliminary remarks that must be addressed. The defendant brought to the attention of the Contentious Chamber that (i) a procedure with some similarities to the present case is pending before the Court of Markets. In that case, a settlement proposal was submitted to a data controller, which was unilaterally withdrawn by the Contentious Chamber. The data controller then appealed to the Court of Markets, contesting the unilateral withdrawal of the settlement proposal by the Contentious Chamber. The defendant thus asks whether it would be appropriate to suspend the present proceedings until the Court of Markets delivers its judgment. (ii) Furthermore, the defendant pointed out that the complainant previously worked as a lawyer at the law firm that represented the DPA before the Court of Markets in the aforementioned case. The defendant considers that this could suggest a potential conflict of interest or a possible breach of the principle of impartiality—both in its subjective and objective dimensions.

(i) Regarding the Remark Related to the Pending Procedure before the Court of Markets

24. As the Contentious Chamber stated during the hearing, the procedure pending before the Court of Markets is not comparable to the present case. While the procedure before the Court of Markets referred to by the defendant concerns a settlement proposal unilaterally withdrawn by the Contentious Chamber, which was contested by the party to whom the proposal was submitted, it should be noted that in the present case, the defendant refused the terms of the proposed settlement. When the Contentious Chamber informed the defendant that it would withdraw the proposal, the defendant did not object. Therefore, there is no longer a settlement proposal in the present case, and the procedure continues validly with a substantive examination of the file.

(ii) Regarding the Potential Conflict of Interest or Breach of the Principle of Impartiality

25. Although the principle of impartiality applies to administrative authorities, including the Contentious Chamber, it should be noted, according to established jurisprudence of the Council of State: "the general principle of impartiality must be applied to any active administrative body. It is sufficient that an appearance of partiality could have raised a legitimate doubt in the applicant's mind about the ability to address their case impartially. However, this principle only applies insofar as it aligns with the specific nature, and particularly the structure, of the active administration. Furthermore, the impartiality of a collegial body can only be challenged if, on the one hand, specific facts that cast doubt on one or more members of that body can be legally established and, on the other hand, if it is evident from the circumstances that the bias of that member(s) could influence the entire body. It is up to the person alleging that the authority has not acted with independence, impartiality, and care to provide evidence."  
   (C.E., November 30, 2022, 255.145, Lemaire and Loslever; see also C.E., January 19, 2022, 252.684, XXX).

26. It is therefore up to the party alleging a breach of the principle of impartiality to provide evidence of specific facts that would indicate that the principle of impartiality has been violated.

27. A distinction is made between objective and subjective impartiality.

28. The Contentious Chamber emphasizes, firstly, that the law firm in question was selected following a public procurement process (at a time not suspect), and must therefore respect the principles of equality, non-discrimination, transparency, and proportionality with regard to all bidders, and must be based on objective award criteria. Furthermore, the complainant acts as a concerned person, outside of any link with her former profession as a lawyer at the concerned law firm. As the defendant has not provided further evidence demonstrating that the Contentious Chamber has given the appearance of bias, the Contentious Chamber cannot conclude that it has breached the principle of objective impartiality.

29. Furthermore, the Contentious Chamber notes that the defendant has not provided any evidence indicating that it may have acted with bias or intervened in the present proceedings in a manner that compromised the objectivity of the debates. In the end, the defendant has not provided proof of any concrete actions by the Contentious Chamber that would allow the conclusion that it acted with partiality.

30. Consequently, the Contentious Chamber considers that there is no risk of a conflict of interest in this case and that it has not breached the principle of impartiality, whether in its objective or subjective dimension.

#### II.2. Regarding the Admissibility and Receivability of the Complaint

##### II.2.1. Regarding the Constitution of noyb

31. Article 80.1 of the GDPR states: "The data subject shall have the right to mandate a not-for-profit body, organization, or association, which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 and to exercise the right to receive compensation referred to in Article 82 where provided for by the law of the Member State."

32. Article 220, §2 of the LCA specifies:  
   "§ 2. In disputes provided for in paragraph 1, a body, organization, or non-profit association must:
   - 1° be properly constituted in accordance with Belgian law;
   - 2° have legal personality;
   - 3° have statutory objectives of public interest;
   - 4° have been active in the field of protecting the rights and freedoms of data subjects with regard to the protection of their personal data for at least three years."

33. The Contentious Chamber has previously expressed doubts about the compatibility of certain aspects of the Belgian provision with the GDPR.

34. The primacy of European law requires the disregard of any national provision that cannot be interpreted in accordance with a European legal standard—such disregard being a duty for all state bodies, including judicial and administrative authorities tasked with applying European law within their respective competencies.

35. If there are reasons to believe that a law—understood within the meaning of Article 22 of the Constitution—violates "a fundamental right guaranteed in whole or in part similarly by a provision of Title II of the Constitution as well as by a provision of European law […]" it is up to the court before which this situation arises to refer a preliminary question to the Constitutional Court.

36. The CJEU has ruled that an incidental procedure for reviewing the constitutionality of national laws complies with Union law, provided that this procedure respects four conditions:
   - Other national courts remain free "to refer to the Court of Justice at any stage of the procedure, even after the incidental review procedure, any preliminary question they deem necessary";
   - Other national courts remain free "to adopt any measures necessary to ensure the provisional judicial protection of the rights conferred by the Union legal order";
   - Other national courts remain free "to disregard, following such an incidental procedure, the national legislative provision in question if they find it contrary to Union law";
   - "It is up to the referring court to verify whether the national legislation in question can be interpreted in accordance with these requirements of Union law."

37. The Contentious Chamber notes that the special legislator has limited the scope of Article 26, §4 of the Special Law to ordinary and administrative courts only.

38. The Contentious Chamber, however, is not part of the judiciary—it is an administrative authority.

39. Therefore, Article 26, §4 of the Special Law does not apply to the Contentious Chamber, and it neither has the obligation nor the possibility to refer a preliminary question to the Constitutional Court.

40. Given that there is no other incidental procedure for constitutional review, the Contentious Chamber must directly ensure that it gives full effect to the European legal standards it must apply within its competence—namely, Article 80.1 of the GDPR in this case.

41. Following what was stated in point 33, the Contentious Chamber asserts that Article 220, §2, 1° of the LCA contradicts the aforementioned provision of the GDPR as it restricts the scope of the latter, rendering them incompatible.

42. Consequently, Article 220, §2, 1° of the LCA must be disregarded.

##### II.2.2. Validity of the Mandate

43. Regarding the representation mandate, the Contentious Chamber notes that it includes the details of the principal and the agent, and the former mandates the latter to represent her before the DPA and to take any necessary actions to uphold her rights regarding the collection and processing of her data on the defendant’s website. The Contentious Chamber adds that, in the annexes to the complaint form, the mandate is titled as follows: "Exhibit 1 – Representation Agreement under Article 80(1) GDPR."

44. Regarding this element, the Contentious Chamber cannot agree with the defendant's argument that noyb attempted to "cover up" the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand, noyb claims that this reference was already present at the time of signing. On the other hand, the Contentious Chamber points out that the validity of the mandate should be assessed at the time of the complaint’s filing. Therefore, it does not seem plausible that noyb sought to "cover up" the absence of a reference to Article 80.1 of the GDPR—since the absence would render the mandate invalid—considering it would have been enough to redo the mandate. Therefore, the mandate should be read in light of its title as an annex

. Read in this way, it is clear that the mandate was concluded under Article 80.1 of the GDPR.

45. Regarding the alleged contradictions in the mandate raised by the defendant, the Contentious Chamber recalls that it cannot interpret the mandate too restrictively. As an administrative authority, the Contentious Chamber oversees the correct application of the GDPR. In this capacity, it is authorized to impose one or several sanctions listed in Articles 95, §1, or 100, §1 of the LCA to protect the fundamental rights of data subjects. The mandate, as it appears in the file, allows for the identification of the parties to the contract, the data controller against whom the complainant addresses her grievances, the supervisory authority where the complaint is filed, and a reference to Article 80.1 of the GDPR under which the mandate was granted. These elements justify the actions that noyb undertakes on behalf of the complainant before the DPA. Imposing further conditions on the mandate would compromise the oversight responsibility of the Contentious Chamber and the rights of data subjects. The Contentious Chamber clarifies that the elements mentioned above should not be interpreted as setting any minimum threshold.

46. Finally, in any case, the Contentious Chamber notes that Article 17 of the Judicial Code does not apply to the Contentious Chamber, as it is an administrative authority, as stated in point 38.

##### II.2.3. Lack of Signature on the Complaint

47. Article 58 of the LCA states: "Any person may submit a written, dated, and signed complaint or request to the Data Protection Authority."

48. Article 60 of the same law stipulates that, in assessing the admissibility of complaints it receives, the SPL verifies that the complaint is "written in one of the national languages," "contains a statement of facts and the necessary details to identify the processing to which it relates," and that the complaint "falls within the competence of the Data Protection Authority."

49. Contrary to what noyb claims, these two provisions should not be read separately but rather together. Thus, the formal requirements prescribed by Article 58 of the LCA must also be taken into account when assessing admissibility under Article 60 of the same law.

50. The Contentious Chamber notes that the complaint form was signed by the chairman of noyb's board of directors with the following mention: "For noyb."

51. In this regard, the Belgian legislator specified that the signature must come from "the competent person in the matter," but not necessarily from the complainant. Therefore, it must be understood that at least the representative may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to mandate "a body, organization, or non-profit association […] to lodge a complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 [of the GDPR]."

52. As a legal entity, noyb must be represented by one of its members in the actions it takes. Accordingly, the chairman of noyb's board of directors signed the complaint form—in the exercise of this function, which authorizes him to take such actions.

53. It cannot be inferred from the mention "For noyb" that noyb acts as the complainant, as this note is precisely intended to engage noyb’s responsibility and not that of its chairman in his capacity as a natural person.

### II.2.4. The Interest to Act

54. The Contentious Chamber acknowledges the content of its decision 22/2024; however, it is necessary to highlight the differences that distinguish the facts of the aforementioned decision from those in the present decision.

55. Although the complainants share the fact of having interned at noyb and, in this context, consulted websites that subsequently motivated the filing of a complaint with the DPA in both decisions, it must be noted that in the facts examined in decision 22/2024, noyb had implemented a large-scale plan aimed at filing dozens of complaints against multiple data controllers with various supervisory authorities—including the DPA. Moreover, the complainant had explicitly acknowledged being assigned various files, including the defendant’s website from the aforementioned decision. These elements—along with others—led the Contentious Chamber to consider the mandate concluded between the complainant and noyb as fictitious at that time. However, such a conclusion cannot be drawn in the present case. The complainant—a French speaker—consulted the French-language website of the defendant based on a personal initiative, which does not fall within the framework of other coordinated noyb projects. In principle, there is nothing to prevent noyb from representing one of its employees or interns.

56. Furthermore, no link can be established between the present complaint and the complaints filed against the 15 Belgian websites mentioned in noyb’s July 2023 press release. Although there is indeed evidence of some coordination in the present case, it is not established that this coordination occurred before the complainant’s grievances emerged. In any event, the elements of the present case do not establish that noyb exerted any pressure on the complainant.

57. Therefore, there is no basis for asserting that the mandate is fictitious.

58. In this case, the relationship between the complainant and noyb can be summarized as follows:

   Relationship  
   Master  
   Intern  
   NOYB  
   -• -• -•  
   Absence of evidence  
   of instructions  
   \  
   Complainant  
   Suffers violations  
   Files a complaint with the DPA

59. The fact that noyb provided technical and legal assistance to the complainant does not alter this finding. On the contrary, this constitutes good practice that one could reasonably expect from an entity with which a person is interning.

60. Therefore, the complainant's interest to act does not need to be demonstrated, as she is a concerned person—her personal data having been processed by the defendant.

### II.3. Regarding the Substance of the Case

61. As a preliminary point, the Contentious Chamber recalls that the right to the protection of personal data is a fundamental right guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union.

62. With this in mind, all complaints should be examined, especially those concerning the consent of the data subject.

63. The GDPR indeed provides several lawful bases—which are recalled in point 73—among which is the consent of the data subject.

64. Regarding the collection and granting of consent online, a binary reading cannot suffice. The Contentious Chamber understands that each situation must be examined on a case-by-case basis, based on the material modalities of the collection and granting of consent. Furthermore, the Contentious Chamber emphasizes that the collection and granting of online consent have certain particularities. The internet has significantly changed practices and occupies most citizens' time, especially young people. Thus, what could be termed a routine consent has emerged. Internet users navigate from website to website, from page to page, and are therefore confronted with numerous cookie banners. As a result, the warning effect of the cookie banner diminishes, and the data subjects may give their consent by default due to the fatigue thus caused. This issue is compounded when data controllers design cookie banners that encourage users to accept cookies.

65. These reasons compel the Contentious Chamber to examine the present case with the utmost sensitivity.

#### II.3.1. On the Interaction Between the GDPR and the LCA with the Guidelines

66. The Contentious Chamber addresses the arguments made by the defendant regarding Type 1 (see points 72 to 80, "On the absence of a 'Reject All' button at the first level of the cookie banner") and Type 2 (see points 81 to 95, "On the misleading use of button colors") violations, wherein the defendant claims that neither the GDPR nor the LCA require the implementation of a "Reject All" button at the first level of the cookie banner or the use of "buttons and characters of the same size, importance, and color." The defendant adds that the guidelines from the EDPB and supervisory authorities are not binding as they constitute soft law.

67. Firstly, the Contentious Chamber recalls that the GDPR, as a European Regulation, is directly applicable in all Member States. As such, the GDPR has a general scope. It cannot be expected that the European legislator intended to define in detail the specific modalities of all practices related to this act when adopting this Regulation. On the contrary, it established general and abstract rules that must be adhered to by the entities concerned. Supervisory authorities, in particular, must apply these principles and rules to specific cases within the rapidly evolving digital society. It is in this context that the supervisory authorities must adopt appropriate and proportionate decisions. The decision-making practice of the authorities can—and must—evolve in light of legal and technological developments. The fact that an authority is required to adapt its decision-making practice does not constitute an obstacle to the imposition of sanctions, such as administrative fines.

68. Similarly, when adopting the LCA, the Belgian legislator did not intend to define specific modalities for all practices related to this law.

69. In this regard, Article 70.1.e of the GDPR specifically delegates to the EDPB the task of "issuing guidelines, recommendations, and best practices" on any issue related to its application to promote consistent application. The importance of this consistency is also highlighted in Articles 57.1.g and 70.1.u of the GDPR. It should also be noted that Article 57.1.d of the GDPR assigns supervisory authorities the task of raising awareness among controllers and processors regarding their obligations under the GDPR.

70. Therefore, while it is accurate to state that the guidelines published by the EDPB do not have binding force as they constitute soft law, it would be incorrect to deny them any legal effect. This denial ultimately, and implicitly, challenges the authority of the EDPB and supervisory authorities, which possess the appropriate expertise to carry out their assigned tasks, as reiterated in the previous paragraph—although this does not mean that parties to a case cannot contest the legal interpretation of the GDPR by the EDPB or a supervisory authority.

71. In conclusion, the Contentious Chamber recalls that the guidelines of the EDPB and supervisory authorities clarify the provisions of the GDPR, but it is the violation of these provisions—applied concretely to a specific case—that justifies the imposition of corrective measures or sanctions.

#### II.3.2. On the Absence of a "Reject All" Button at the First Level of the Cookie Banner

72. Article 4.11 of the GDPR defines consent as "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." Recital 42 of the GDPR specifies that "consent should not be regarded as freely given if the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without detriment."

73. Article 5.1.a) of the GDPR states that personal data must be processed "lawfully, fairly, and transparently." For processing to be lawful, it must be based on the consent of the data subject or another lawful basis listed in Article 6.1 of the GDPR.

74. Applying these provisions, it must be concluded that for every cookie banner, it should be as easy to consent to cookies as to refuse them. Therefore, both the button allowing acceptance of cookies and the button allowing refusal must appear together at each level of the cookie banner where the acceptance button appears. Otherwise, the consent obtained cannot be considered freely and unambiguously given.

75. The Contentious Chamber notes that in the present case, by not presenting the "Accept All" and "Reject All" buttons at the first level of the cookie banner—the first button being the only one present—the defendant not only makes it less visible to the data subjects that they can refuse cookies, but also makes refusal materially more difficult as more actions are required. In this sense, the data subjects—like the complainant—are encouraged to accept cookies.

76. The EDPB considers that an incentive is not necessarily contrary to the GDPR. It cites as an example a situation where a controller offering general discounts on clothing and fashion accessories asks for the data subject's consent to place cookies to better target their preferences. The incentive in this case is permitted as the data subject would not suffer any detriment if they were to withdraw their consent.

77. In the present case, however, the incentive cannot be considered permitted or valid. Unlike the incentive presented in the example above, this one offers no advantage to the data subject. Free choice implies that the button allowing the refusal of all cookies should be offered at least on an equal level with the button allowing acceptance of cookies. Additionally, it should be noted that the cookie banner forces users to make a choice, constituting a problematic "cookie wall" practice. Consequently, the consent given for cookies on the defendant's website was not freely given.

78. Moreover, the consent given by the data subject cannot be considered unambiguous. Indeed, by not informing the complainant

 of the option to refuse cookies, it cannot be considered that the complainant gave a clear affirmative action for the cookies' placement.

79. The findings established in the paragraphs above, concerning the first level of the cookie banner, are not altered by the fact that at other levels of the defendant's website, the "Accept All" and "Reject All" buttons are presented together. Requiring a controller to make it as easy to refuse cookies as to accept them is a concrete application of the validity conditions for consent as defined by Article 6.1.a) of the GDPR. The validity of consent must be assessed at the time when consent is effectively given—or not. Given that the complainant consented to cookies at the first level of the cookie banner, the validity of the consent collected must be assessed only at this level. This is especially true as, by definition, data subjects are first confronted with the first level of the cookie banner. Furthermore, the Contentious Chamber recalls that it is up to the controller to demonstrate that consent was obtained from the data subject under Article 7.1 of the GDPR.

80. In conclusion, the Contentious Chamber finds that the defendant violated Article 6.1.a) of the GDPR, as well as Article 10/2 of the LCA.

### II.3.3. On the Misleading Use of Button Colors

81. Regarding the defendant’s first argument that neither the GDPR nor the LCA requires controllers to "use buttons and characters of identical size, importance, and color," the Contentious Chamber finds that the defendant is mistaken in thinking that the complainant supports this idea. The grievance raised in this regard claims that the cookie banner is designed in a way that encourages data subjects to click on the "Accept and Close" button, making the consent obtained not compliant with the GDPR requirements. The Contentious Chamber refers the parties to points 66 to 80.

82. The Contentious Chamber observes that the defendant's cookie banner (see below) displays three colors. The text uses white font, and the banner background is dark blue. The "Learn More" button, which ultimately allows users to refuse cookies, is the same blue as the background but is separated by white borders. The "Accept and Close" button is in a striking orange color.

83. As stated in point 72, consent must be given freely, specifically, informed, and unambiguously. Following what was developed in point 71, requiring a controller to use button colors that do not clearly direct users to consent to the placement of cookies is necessary to ensure that the consent is free and unambiguous as defined under Article 6.1 of the GDPR.

84. In this case, the Contentious Chamber believes that the color scheme used by the defendant clearly encourages users to click on the "Accept and Close" button, as this button stands out prominently from the rest of the cookie banner, attracting users’ attention. Therefore, the consent obtained from the complainant by the defendant concerning the placement of cookies is invalid.

   ```
   RTL info
   With your consent, our partners and we use cookies and similar technologies to store and access personal information like your visit on this site. You can withdraw your consent at any time by clicking on "Learn More" or in our cookie policy on this site.
   With our partners, we process the following data based on your consent:
   Essential cookies, precise geolocation data, and device identification analysis, personalized ads and content, ad and content performance measurement, audience data, and product development, social media, storage, and access to information on a device.
   
   LEARN MORE - ACCEPT & CLOSE
   ```

85. Firstly, the European Court of Human Rights defines artistic freedom of expression as "allowing participation in the public exchange of cultural, political, and social information and ideas of all kinds" (see, mutatis mutandis, the judgment Müller and Others v. Switzerland of May 24, 1988, Series A No. 133, p. 19, § 27). Those who create, interpret, disseminate, or display a work of art contribute to the exchange of ideas and opinions essential to a democratic society.

86. The Contentious Chamber also recalls that the right to data protection is a fundamental right. The European legislator implemented this right, notably in the GDPR and the ePrivacy Directive. The choices made by the legislator, including the consent conditions stipulated in the legislative texts, indicate the threshold of requirements that controllers must meet before they can rely on this consent for cookie placement and subsequent processing (Article 6.1.a of the GDPR and Article 10/2 of the LCA). Controllers have some discretion in implementing the conditions provided in the legislative bases mentioned above; however, they cannot choose the conditions of consent. It is the DPA's duty to enforce the application of the GDPR and the ePrivacy Directive.

87. Regarding the artistic freedom of expression invoked by the defendant, the Contentious Chamber notes that Article 85.1 of the GDPR provides: "Member States shall reconcile, by law, the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic, or literary expression."

88. Recital 153 of the same Regulation specifies that such reconciliation should take place when necessary. It also states that notions related to this freedom should be interpreted broadly, considering the importance of the right to freedom of expression.

89. The Belgian legislator has provided for exceptions in Article 24 of the LCA for the application of certain provisions of the GDPR for processing carried out for journalistic purposes and for academic, artistic, or literary expression, as follows:

   - § 1. Processing of personal data for journalistic purposes means the preparation, collection, writing, production, dissemination, or archiving for the purpose of informing the public using any media where the controller adheres to journalistic ethics.
   - § 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20, and 21.1 of the GDPR do not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression.
   - § 3. Articles 30.4, 31, 33, and 36 of the GDPR do not apply to processing for journalistic purposes and for academic, artistic, or literary expression when their application would compromise a planned publication or constitute a prior control measure before publishing an article.
   - § 4. Articles 44 to 50 of the GDPR do not apply to the transfer of personal data carried out for journalistic purposes and for academic, artistic, or literary expression to third countries or international organizations to the extent necessary to reconcile the right to data protection with freedom of expression and information.
   - § 5. Article 58 of the GDPR does not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression when its application would provide indications on information sources or constitute a prior control measure before publishing an article.

90. Firstly, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not exempt for processing carried out for the purposes mentioned in point 87.

91. The Contentious Chamber also notes from the report on the work undertaken by the Cookie Banner TaskForce that no general model for cookie banners can be imposed on controllers regarding colors [and contrasts]. The same report explains that the validity of the cookie banner must be assessed case by case to verify that the colors or contrasts used do not clearly direct users towards a choice inconsistent with their personal data sharing preferences.

92. This means that controllers, whose compliance with the GDPR must be assessed on a case-by-case basis, have considerable discretion in choosing colors [and contrasts] for their cookie banners. They are fully allowed to be creative, reflecting their brand identity. This discretion also allows controllers to comply with GDPR requirements while respecting principles of inclusive design, for example.

93. Moreover, the Contentious Chamber emphasizes that the defendant could keep the same colors used in its cookie banner, provided it swaps the color used for the acceptance button with that used for the refusal button. As explained in point 83, controllers must ensure that the color used does not clearly encourage users to consent to cookie placement. However, nothing prevents controllers from using a button color that similarly encourages users to refuse cookies.

94. Ultimately, the defendant wrongly argues that the requirements governing the choice of colors used in its cookie banner infringe its artistic freedom of expression and the coherent and aesthetically pleasing experience it wishes to offer its users, including visually impaired persons.

95. For the reasons stated above, the Contentious Chamber concludes that the defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the LCA.

### II.3.4. On the Methods of Withdrawing Consent

96. Article 7.3 of the GDPR states: "The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before giving consent. It shall be as easy to withdraw as to give consent."

97. The EDPB specifies that a violation of Article 7.3 of the GDPR results in the non-compliance of the controller's consent mechanism.

98. The report on the work undertaken by the Cookie Banner Taskforce specifies that no specific consent withdrawal model, including the solution of a floating banner or button (or "hovering solution"), can be imposed on controllers. The same report further states that a link placed in a visible and standardized location is an appropriate solution to comply with Article 7.3 of the GDPR.

99. The Contentious Chamber adds that the duty to allow data subjects to withdraw their consent as easily as they give it must be balanced with the convenience of use for data subjects. This duty should not make the browsing experience on the controller’s website burdensome for users—otherwise, it would be unreasonable.

100. In this case, the Contentious Chamber observes that the defendant's website provides users with a "Manage Cookies" button at the bottom of each navigation page. The Contentious Chamber finds that this button is reasonably accessible to users.

101. Moreover, within the options presented in the "Manage Cookies" button, there are "Accept All" and "Reject All" buttons. Users can thus withdraw their consent with a single button click.

102. The fact that the withdrawal process is not identical to the method used to collect consent is not problematic here, as otherwise, the interests of users (and specifically the complainant) would be affected.

103. Consequently, the Contentious Chamber decides to dismiss this grievance.

### III. Corrective and Provisional Measures

104. Under Article 100 of the LCA, the Contentious Chamber has the authority to:

1. Dismiss the complaint;
2. Order a dismissal of proceedings;
3. Pronounce a suspension of the ruling;
4. Propose a settlement;
5. Issue warnings and reprimands;
6. Order compliance with the data subject's requests to exercise their rights;
7. Order the data subject to be informed of the security issue;
8. Order the freezing, limitation, or temporary or permanent prohibition of processing;
9. Order the processing to be brought into compliance;
10. Order the rectification, restriction, or erasure of data and the notification of such actions to the data recipients;
11. Revoke the certification of certification bodies;
12. Impose penalties;
13. Impose administrative fines;
14. Order the suspension of cross-border data flows to another state or international organization;
15. Transmit the case file to the prosecutor’s office of the Public Prosecutor of Brussels, who will inform them of the follow-up;
16. Decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority.

### III.1. Compliance Order

105. The Contentious Chamber deems it appropriate to impose two compliance orders on the defendant, based on the identified breaches.

106. Order 1: The Contentious Chamber requires the defendant to add a button that clearly allows the refusal of cookie placement with a single click, at the same level as the button allowing acceptance of cookies, at each level of the cookie banner where the button for accepting cookies is present.

107. Order 2: The Contentious Chamber requires the defendant to use colors and contrasts that are not clearly misleading. The button allowing the refusal of cookies must be displayed at least as prominently as the acceptance button. The Contentious Chamber specifies that the defendant may retain the current colors used in the cookie banner, provided it swaps the color used for the refusal button with the acceptance button; it refers to point 94 in this regard.

108. As examples, the Contentious Chamber includes an illustration from its [Cookie Checklist](https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf) below as a good practice. However, the implementation of these orders is the sole responsibility of the defendant.

109. Each of these two orders must be satisfied no later than the 45th day following the notification of this decision to the defendant. Within the same period, the defendant must submit a document to the Contentious Chamber and the complainant reflecting how it has complied with the two orders issued.

110. In case of non-compliance—even apparent—beyond the 45th day following the notification of this decision, the Contentious Chamber will notify the defendant. From the date of this notification, the penalty will be enforced. It will only cease once the Contentious Chamber recognizes that the defendant has fully complied with the orders.

### III.2. Accessory Sanction: The Penalty

#### III.2.1. Preliminary Considerations

111. The penalty is fully conditional. The amount payable is uncertain. The defendant initially has a period to comply or to appeal the decision. It is only in the event of non-compliance after a 45-day period from the notification of this decision that the penalty will be enforced. Therefore, the amount of the penalty is variable and may even be zero, if applicable.

112. The penalty differs from an administrative fine as it serves as an indirect means of enforcing the primary sanction(s) to achieve compliance with applicable law, while an administrative fine has a punitive character. The penalty thus also has an accessory nature. The penalty and the administrative fine differ both in their nature and the objectives they pursue.

113. In a judgment of February 19, 2020, the Court of Markets stated:  
   "Before a sanction is imposed, the offender must be informed of the nature of the proposed sanction and its amount (in the case where a fine is envisaged). The offender must be warned (to avoid unnecessary sanctions) and given the opportunity to defend the amount of the fine proposed by the Contentious Chamber before the sanction is effectively imposed and enforced."

114. Following this judgment, the President of the Contentious Chamber considered that issuing a sanction form was also necessary when the Contentious Chamber intended to impose a penalty.

115. The Contentious Chamber's position today is different, considering that it should not inform the defendant of its intention to impose a penalty for the following two reasons:

   a) The obligation to send a sanction form to the defendant before the decision originates from the jurisprudence of the Court of Markets. It is an obligation that adds to the existing legal framework. This step in the Contentious Chamber’s procedure makes it heavier and more time-consuming. While the Contentious Chamber acknowledges all the benefits of this step, it notes that this strictly national obligation can hinder the consistent application of the GDPR among different supervisory authorities. The Contentious Chamber thus considers that this obligation should be interpreted restrictively, favoring an interpretation that does not conflict with the objectives pursued by the legislator in granting powers to supervisory authorities.

   b) As explained in point 112, the nature of the penalty differs fundamentally from that of an administrative fine. The penalty is an accessory sanction, aimed at encouraging the defendant to comply with the primary sanction. In this sense, it is widely recognized in legal doctrine that the penalty is not punitive in nature. In conclusion, the decision to impose a penalty is at the strict discretion of the Contentious Chamber and cannot be contested by a party to the case. The Belgian legislator has deliberately chosen to grant this competence to impose penalties to the DPA; the intention of the Belgian legislator must be acknowledged and respected.

116. The Contentious Chamber reminds that its decisions do not have precedent value. The policies of the Contentious Chamber are not binding. The Contentious Chamber recognizes that publishing these policies establishes a certain level of trust with the public and strives to communicate transparently with the public. However, this cannot constitute an obstacle to the development of the Contentious Chamber's practices and the legal framework implemented, which are essential.

117. In light of the reasons mentioned above, the Contentious Chamber exercises its prerogative to impose penalties on the defendant in this case and does not consider that it must inform the defendant beforehand by means of a sanction form.

#### III.2.2. Practical Modalities of the Penalty

118. To allow the defendant sufficient time to comply with the orders issued in this decision, the penalty will not be enforced immediately after the notification of this decision to the defendant.

119. In this case, the Contentious Chamber considers that a period of 45 days from the notification of this decision is sufficient for the defendant to comply with the said orders.

120. The period begins on the day the defendant receives the registered letter notifying them of this decision or on the day the period expires for the defendant to collect the registered letter from the post office, if applicable.

121. The day after this period expires, the Contentious Chamber notifies the defendant:

   1) That they have fully complied with the orders issued in this decision; or
   2) That they have partially complied with the orders issued in this decision; or
   3) That they have not complied with the orders issued in this decision.

   The Contentious Chamber initiates the enforcement of the penalty on the same day of this notification in the second and third scenarios.

122. The penalty amounts are as follows:

   a) Order 1: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision;
   b) Order 2: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision.

   If the defendant fails to satisfy both orders, they must then pay EUR 40,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision.

123. The Contentious Chamber reiterates, as stated in point 112, that the penalty does not have a punitive character. Each order is accompanied by a penalty to ensure its proper execution. The penalty amounts are reasonable in view of the harm caused by the defendant to the complainant’s rights, and to users more generally, as well as considering the defendant's financial capacity and the benefit they may derive from non-compliance with the orders.

124. If the defendant considers that full compliance with the orders is impossible within the prescribed period despite all reasonable efforts, they may submit a motivated request for an extension to the Contentious Chamber within 45 days following the notification of this decision.

125. The penalty is daily and cannot exceed a maximum amount of EUR 2,000,000.

126. The practical modalities of the penalty can be schematized as follows:

   - Receipt of the compliance notification: partial or null compliance – initiation of the penalty EUR 20,000 per day per infraction

127. Given the importance of transparency concerning the decision-making process of the Contentious Chamber, this decision is published on the Data Protection Authority’s website.

128. Considering that the defendant is a major player in the television and radio services sector, and that the personal data processing carried out by the defendant is conducted on a national scale, the Contentious Chamber believes that the defendant’s identity must be known in this decision. This is also consistent with the position already taken by the Contentious Chamber in similar cases involving media groups.

129. Knowing the defendant’s identity is also important to better understand the procedure followed in this case. Noyb has revealed the circumstances of this procedure on its website. Therefore, it is appropriate to detail transparently the differences in the examination of the present complaint compared to other complaints filed by complainants represented by noyb.

+--------------------------------------------------------------------------------+
| FOR THESE REASONS,                                                             |
|                                                                                |
| The Contentious Chamber of the Data Protection Authority decides, after        |
| deliberation:                                                                  |
|                                                                                |
| In accordance with Article 100, §1, 9° of the LCA, to order the defendant to   |
| add a button that clearly allows users to refuse the placement of cookies with |
| a single click, at each level of the cookie banner where there is a button     |
| allowing the acceptance of cookies with a single click, in compliance with     |
| Article 6 of the GDPR and Article 10/2 of the LCA, and to provide both the     |
| complainant and the Contentious Chamber with documentation on the measures     |
| taken to comply with this order (Injunction 1). Furthermore, the Contentious   |
| Chamber requires the defendant to use colors and contrasts that are not        |
| manifestly misleading. The button clearly allowing the refusal of cookies must |
| be displayed at least as prominently as the acceptance button (Injunction 2);  |
|                                                                                |
| In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 1  |
| with a penalty. The defendant must pay 20,000 EUR per day of delay from the    |
| day the Contentious Chamber notifies that it has partially or not at all       |
| complied with the orders issued in this decision;                              |
|                                                                                |
| In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 2  |
| with a penalty. The defendant must pay 20,000 EUR per day of delay from the    |
| day the Contentious Chamber notifies that it has partially or not at all       |
| complied with the orders issued in this decision;                              |
|                                                                                |
| In accordance with Article 100, §1, 1° of the LCA, to dismiss the third        |
| grievance related to the modalities for withdrawing consent.                   |
+--------------------------------------------------------------------------------+

In accordance with Article 108, § 1 of the LCA, an appeal against this decision can be lodged within thirty days from its notification, with the Court of Market (Court of Appeal of Brussels), naming the Data Protection Authority as the defendant. Such an appeal can be submitted by means of an interlocutory application, which must contain the information enumerated in Article 1034ter of the Judicial Code. The interlocutory application must be:

1. The indication of the day, month, and year;
2. The name, first name, and address of the applicant, as well as, if applicable, their status and national registration number or company number;
3. The name, first name, address, and, if applicable, the status of the person to be summoned;
4. The subject and a summary statement of the grounds for the claim;
5. The indication of the judge who is seized of the request;
6. The signature of the applicant or their lawyer.

The application must be filed at the registry of the Court of Market in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).

(signed) Hielke HIJMANS  
President of the Contentious Chamber