APD/GBA (Belgium) - 11/2022: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 60: Line 60:
}}
}}


The belgian DPA issued a reprimand to a website owner for violating Article 12 and [[Article 13 GDPR|Article 13 GDPR]] and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to. On top of that, the belgian DPA also shares some interesting insights regarding the processing of cookies.
The belgian DPA issued a reprimand to a website owner for violating Article 12 and [[Article 13 GDPR|Article 13 GDPR]] and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to. On top of that, the Belgian DPA also shares some interesting insights regarding the processing of cookies.


== English Summary ==
== English Summary ==
Line 100: Line 100:
This decision of the belgian DPA is different than the others. A lot of background information and additional information has been provided by the DPA itself regarding 'best practices' when using cookies.
This decision of the belgian DPA is different than the others. A lot of background information and additional information has been provided by the DPA itself regarding 'best practices' when using cookies.


Sidenote for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data. how does this reconcile with the definition of 'personal data' in [[Article 4 GDPR#1|Article 4(1) GDPR]] that clearly refers to 'identified or identifiable natural persons'?
Sidenote for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data'. How does this reconcile with the definition of 'personal data' in [[Article 4 GDPR#1|Article 4(1) GDPR]] that clearly refers to 'identified or identifiable natural persons'?


== Further Resources ==
== Further Resources ==

Revision as of 08:00, 2 February 2022

APD/GBA (Belgium) - 11/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 5.3 ePrivacy Directive
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 21.02.2022
Published:
Fine: None
Parties: n/a
National Case Number/Name: 11/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-11-2022.pdf (in EN)
Initial Contributor: Matthias Smet

The belgian DPA issued a reprimand to a website owner for violating Article 12 and Article 13 GDPR and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to. On top of that, the Belgian DPA also shares some interesting insights regarding the processing of cookies.

English Summary

Facts

Activities of the defendant:

Defendant owns a website 'YourOnlineChoices', through which you can control your ad experience online. during browsing the web and visiting different websites, you can control which non-essential (e.g. for advertising purposes) cookies you accept or refuse. If you choose to turn off interest-based advertising, you will still see advertisements on the internet. Disabling it only ensures that the online advertisements you see are not adapted to your suspected interests or preferences on your web browser

Summary of the complaint: The Belgian DPA received a complaint via the Internal Market Information (IMI) system from the Berlin DPA regarding illigitimate use of cookies on a website. The complainant raises in his complaint that (i) the tool for selecting advertising preferences does not work (cookie opt-out option for third parties does not work) and consent is thus not freely given; (ii) the website forces the user to accept cookies in order to be able to select his advertising preferences.

Cross-border processing:

According to Article 56 GDPR "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA is competent because the defendant has its sole place of business in Belgium, but its activities substantially affect or are likely to affect data subjects in several Member States, including Germany.

Use of cookies without prior information given to the user (violation transparency principle - Article 5 GDPR) - UPHELD

The DPA recalls that the purpose of the transparency principle is that the data subject should be able to determine in advance what the scope and consequences of the processing encompass. The means that the controller must at least provide information on the duration of the operation of cookies, whether the cookie is first or third party.

When viewing the website, investigation showed that a cookie was already loaded in the browser, before any information could be delivered to the user, since it was technically impossible to display the necessary information in the user's language. The DPA replied that due to the absence of language selection by the user it would have been appropriate to display the display the information regarding the use of cookies in English, a widespread language commonly used by other websites.

Obligation to set cookies in order to select advertising preferences on the website & "Cookie wall" practice (violation of Article 7 GDPR) - NOT upheld

Complainant states that his consent is not freely given, due to the fact that consent is a condition in order to use the website. In its recent guidelines, the EDPB indeed condemns the practice of making the provision of a service or access to a website conditional on the acceptance of write or read operations on the user's device. A side note here is that it must concern non-necessary cookies.

However, in this case the cookie in question is strictly necessary for the functioning of the website. Defendant also showed that the fact that the cookie needs to be placed in order to use certain parts of the website is described on three different places of the website (i.e. the homepage / terms and conditions / Protecting your privacy-page) and thus the legal basis in order to process this personal data and place this cookie is not consent, but legitimate interest of the data controller (Article 6(1)(f) GDPR)

Holding

The Belgian DPA issued a reprimand to a website owner for violating Article 12 GDPR and Article 13 GDPR and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to.

On top of that, the belgian DPA also shares some interesting insights regarding the processing of cookies:

  • definition of 'trackers';
  • different types of cookies;
  • valid consent under GDPR and ePrivacy Directive - transparency obligations

Comment

This decision of the belgian DPA is different than the others. A lot of background information and additional information has been provided by the DPA itself regarding 'best practices' when using cookies.

Sidenote for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data'. How does this reconcile with the definition of 'personal data' in Article 4(1) GDPR that clearly refers to 'identified or identifiable natural persons'?

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                           1/32








                                                                 Litigation Chamber



                                   Decision on the merits 11/2022 of 21 January 2022






File number: DOS-2018-05968



Subject: Cross-border cookie complaint



The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members,

resuming the affair in this composition;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data

and the free movement of such data, and repealing Directive 95/46/EC (general regulation on

data protection), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);



Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;



Considering the documents in the file;





made the following decision regarding:

the complainant: Mr. X


the defendant: Y. represented by his counsel, Maître Rue, Chaussée de La Hulpe, 177/12,

                       1170 Brussels., Decision on the merits 11/2022 - 2/32









I- Procedural Feedback


   1. Having regard to the complaint received via the IMI system by the Berlin data protection authority

        (Berliner Beauftragte für Datenschutz und Informationsfreiheit) on August 24, 2018 to the Authority of

        data protection (DPA);


   2. Considering the decision of November 23, 2018 of the President of the Litigation Chamber to transfer the

        file to the inspection service for investigation;


   3. Having regard to the investigation report of the Inspection Service (“IS” below) of October 19, 2019;


   4. Having regard to the exchanges between the Berlin data protection authority (Berliner Beauftragte

        für Datenschutz und Informationsfreiheit) and DPA, in the context of Article 60 GDPR;


   5. Considering the decision of April 29, 2020 of the President of the Litigation Chamber considering that the file

        was ready for substantive processing under Articles 95 § 1, 1° and 98 LCA, the

        Chairman invited the parties to conclude by letter on the same date;


   6. Considering the conclusions of the defendant, received on June 9, 2020;


   7. Given the absence of submissions in response from the complainant;


   8. Having regard to the Respondent's summary submissions, received on July 21, 2020;


   9. Having regard to the translation of the procedural documents (inspection report and conclusions of the

        defendant) into the plaintiff's language (German);

   10. Having regard to the hearing of April 30, 2021 in the presence of the defendant represented by his counsel Me

        Rue, in the absence of the plaintiff, although he was summoned;


   11. Considering the sending to the parties of the minutes of the hearing and the comments of the parties;





II- The facts of the complaint


   12. The complainant raises in his complaint that the tool for selecting the preferences

        advertising does not work, in that the opt-out cookie for many

        third parties does not work (although he clicks the decline option, the accept option

        automatically resets). He raises as well as his consent to these cookies

        is forced and therefore not free within the meaning of Article 4.11 and 7 of the GDPR.


   13. He further argues that the website requires the user to accept cookies in order to

        be able to select their advertising preferences., Decision on the merits 11/2022 - 3/32




   14. The cookie in question allows the defendant to be informed that the browser

       of the user accepts or not the cookies of third parties. The Litigation Chamber

       therefore understands that the complainant opposes the placing of the cookie, as well as the

       subsequent processing of his personal data by the defendant.


   15. The Litigation Chamber will examine the facts reported by the plaintiff, within the framework of

       the mission of monitoring compliance with the GDPR entrusted to the DPA (of which it is the

       administrative litigation) by the European legislator (article 58 of the GDPR) and by the

       Belgian legislator (article 4 LCA), both in the light of the articles of the GDPR referred to in the form

       of complaint that he introduced on August 24, 2018, that in the light of the articles of the GDPR such

       examined in the report of the inspection service.


   16. The shortcomings noted in the IS report will be examined first.

       time. The grievances raised by the complainant in his complaint will be examined secondarily.




III- Findings of the Inspection Service


   17. Following its investigation, the IS produced an investigation report, in which it notes

       breaches combined with articles 5 and 6, 12 and 13, 24 and 30, 24 and 32, as well as 37 of the

       GDPR.


    Statement concerning the principles relating to the processing of personal data

    (Article 5 of the GDPR) and concerning the lawfulness of the processing (Article 6 of the GDPR):



    “The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which

    on pages 9/14 and 10/14 are cited below, demonstrates the existence of the following practices

    which are incompatible with the principle of lawfulness, loyalty, transparency of Article 5 of the GDPR

    and with the obligation of lawfulness of the processing of article 6 of the GDPR: “When connecting to the site

    […] on the home page (screenshot 8) a cookie is already loaded in the browser

    when no information has been delivered to the user. The cookie named “third_party_c_t

    » with value « hey+there %21 » coming from the domain (…) is a cookie which makes it possible to

    inform Y whether or not your browser accepts cookies from third parties”,

    and ; "By choosing the country in which you are located, we arrive on the screen in capture

    Screen 9 indicating that non-identifiable information is being collected. The fact that the

    information is not personally identifiable.

    There is nothing "transparent" about this box and does not allow the user to get an idea of

    what is collected and why it is collected. »



    Observation concerning the transparency of information and communications and methods of

    the exercise of the rights of the data subject (Article 12 of the GDPR) and information to, Decision on the substance 11/2022 - 4/32



provide when personal data is collected from the person

data subject (Article 13 of the GDPR):



As for the transparency of information, the IS notes:




“The “privacy policy of […]” the text of which can be found on pages 19 to 24

and explanations on pages 9 and 10 of the document […] which was communicated to the service

inspection by Y via his email of 07/17/2019 (Exhibit 14) does not comply with Article

12(1) or Article 13 GDPR, which are relevant here, for the following reasons:



The information provided is not always transparent and understandable for

data subjects as required by Article 12, paragraph 1 of the GDPR. First the

language used is not coherent and logical given that the notions of “personal information” and

"personal data" are used while the GDPR systematically speaks of "

personal data.



Then the use of cookies is mentioned accompanied by two warnings which indicate

that "disabling cookies for this purpose prevents the control tool from working

effectively and could have undesirable consequences on your experience of

global navigation" and also that "deleting or rejecting cookies could have

undesirable consequences for your experience of our website”. Those

warnings are not comprehensible for the persons concerned and prevent

a free consent on their part for the use of cookies since they do not explain what “

undesirable consequences” means concretely.



Finally, the reference to "additional information" on the sites of Google, Firefox,

Windows and Safari is not comprehensible for those concerned since there is no

explanation on this mentioned for the persons concerned”.



As for the fact that the information would be incomplete, the IS notes:



“The information provided is incomplete because all the information that should

be provided in accordance with Article 13 of the GDPR are not actually provided to

persons concerned. First, the existence of the right to withdraw consent at any time.

moment, without affecting the lawfulness of the processing based on the consent made

before the withdrawal thereof is not mentioned with regard to the processing of data

of a personal nature by Y; this right is only mentioned for the management of cookies

on the website accompanied by the aforementioned disclaimer which states that "the act of deleting or, Decision as to the merits 11/2022 - 5/32



rejecting cookies could have undesirable consequences for your experience of

our website".



Statement concerning the register of processing activities (Article 30 of the GDPR)



“The register of processing activities which can be found in the document “[FR] Annex 1_(..)

Register of GDPR checks” which was communicated to the inspection service by Y via its

email of 07/17/2019 (Exhibit 14) does not mention the identification of third countries

to whom the personal data is transmitted for several activities of

processing. For these processing activities, the texts “Refer to (…)”, “Refer

to (…)”, “Refer to (…)” and “Refer to (…)” are mentioned in the column “Names

third countries or international organizations to which the personal data

are transferred (if possible)”.




Statement concerning the responsibility of the data controller (article 24 of the GDPR) and

regarding the security of processing (Article 32 of the GDPR)



“The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which

on pages 8/14 and 9/14 are quoted below, demonstrates the existence of the following practices

which are incompatible with the controller's liability in Article 24

of the GDPR and with the obligation of security of the processing in article 32, paragraph 1 of the

GDPR:



On screenshot 1 we see that the link to join the server is […]. This link is a

link http and not https. This means that the communication protocol between the client station and

the server in question is a protocol that carries data in the clear, i.e. not

encapsulated in a tunnel as would the TLS protocol for an https link. Which means

that the personal data provided by the user on this site does not have the guarantee

set out in the information “Protection of your privacy” disseminated at the following link […] of which

screenshot 7 shows the excerpt.



In its guidelines on the protection of personal data through

web services provided by the European institutions the EDPS recommends the use of

secure protocols in the transmission of personal data within the framework

web services.



The use of an http link instead of an https link and the consequences for the security of the

treatment as mentioned above, is also inconsistent with the stated guarantee, Decision on the merits 11/2022 - 6/32



in the “privacy policy of […] the text of which can be found on pages 19 to

24 and explanations on pages 9 and 10 of the document “[FR] Letter of response – (…)-” which

was communicated to the inspection service by Y via his email of 07/17/2019 (Exhibit 14). the

Inspection service refers in this respect to the following sentences mentioned in the

aforementioned text of the Y:




“We are committed to respecting and protecting the privacy of all individuals

with which we act, have acted or will act.

seek to give you clear information and control over information

personal data we hold about you, as well as other non-personal data

information that we may collect and use during your visit to this site

Internet. ““No other personal information will be shared with any other third parties.

".



Findings concerning the responsibility of the data controller (article 24 of the GDPR) and

concerning the appointment of the data protection officer (Article 37 of the GDPR)



“In the document “[FR] Letter of response – Ref (…)” which was communicated to the service

of inspection by Y via his email of 07/17/2019 (Exhibit No. 14) appears on pages 10 to 11 and

pages 25 to 31 a motivation for the decision not to appoint a protection officer

data within the organization; according to “The summary of the conclusion is that (…) is not

not required to appoint a dedicated data protection officer”.

The aforementioned “decision” and its reasoning do not comply with Article 24, paragraph 1 of the

GDPR or Article 37(1) GDPR for the following reasons: There is no

time of official decision taken by Y concerning the appointment or not of a delegate to the

data protection despite the obligation imposed by article 24, paragraph 1 to put

implement “appropriate technical and organizational measures to ensure and be

able to demonstrate that the processing is carried out in accordance with this Regulation

» . The document “Re DOS (…)-questions in the context of an inspection investigation_FR” which

was communicated to the inspection service by Y via his email of 09/09/2019 (Exhibit 17)

mentions on pages 10 to 11 that the aforementioned decision “will be placed on the agenda of our

next Board of Directors in November 2019, in order to ensure that the decision taken

has been officially documented.



The elements of the technical analysis report of 07/03/2019 (Exhibit 12) cited above

in this report demonstrate that a cookie “allows Y to be informed of the fact that

your browser accepts or not third-party cookies” which requires the

appointment of a data protection officer on the basis of Article 37, paragraph 1, b), Decision on the substance 11/2022 - 7/32




    of the GDPR. This cookie is clearly linked to the operation of the website […] given the

    explanations of Y concerning this website on pages 3 to 9 of the document “[FR] Letter of

    response – Ref (…)” which was communicated to the inspection service by Y via his email of

    07/17/2019 (Exhibit 14) and allows regular and systematic monitoring on a large scale of

    persons concerned. »



   18. As a reminder, the IS is an independent body of the Litigation Chamber (“CC” below).

       The investigation report produced is only one of the elements on which the CC relies for

       make their decision.




IV- Motivation




    IV.1- On the competence of the DPA


    IV.1.1- On the competence of the DPA within the framework of the IMI system


   19. Article 56. GDPR states that “Without prejudice to Article 55, the data protection authority

       the main establishment or the sole establishment of the controller or the

       processor is competent to act as lead supervisory authority

       concerning the cross-border processing carried out by this controller or this

       subcontractor, in accordance with the procedure provided for in Article 60.


   20. Article 4.23 GDPR clarifies the notion of cross-border processing by

       following terms:


    “(a) processing of personal data which takes place in the Union in the context of

    activities of establishments in several Member States of a controller or

    of a processor when the controller or the processor is established in

    several Member States; Where



    (b) processing of personal data which takes place in the Union in the context of

    activities of a single establishment of a controller or processor,

    but which materially affects or is likely to materially affect persons

    concerned in several Member States; »



   21. The defendant has its sole establishment in Belgium, but its activities (and more

       particularly its website (…), being consultable from any EU member state)

       significantly affect or are likely to significantly affect people

       concerned in several Member States, including the complainant in Germany. The Chamber, Decision on the Merits 11/2022 - 8/32



       Litigation bases its jurisdiction on the basis of a combined reading of Articles 56 and

       4.23.b) GDPR. The DPA is entered by the data protection authority in Berlin, following

       a complaint by the complainant to an authority in the Member State in which

       finds his habitual residence, in accordance with Article 77.1 of the GDPR, and declares himself


       lead supervisory authority (Article 60 of the GDPR).



IV.1.2- On the competence of the DPA




   22. In the section below, the Litigation Chamber recalls that the jurisdiction of the DPA

       regarding the e-privacy Directive is developed in previous decisions of the

       Chamber, in particular in decisions 12/2019 of 17 December 2019, 24/2021 of 19

       February 2021, as well as 19/2021 of February 12, 2021. This section includes a

       summary of the House's position.


   23. Pursuant to Article 4 § 1 LCA, the DPA is responsible for monitoring compliance with the

       fundamental principles of data protection, as affirmed by the GDPR and

       other laws containing provisions relating to the protection of the processing of

       personal data.


   24. Pursuant to Article 33 § 1 LCA, the Litigation Chamber is the body of

       ODA administrative litigation. It is, among other things, seized of the complaints that are brought to it

       transmitted via the IMI system, on the basis of Article 56 of the GDPR.


   25. Pursuant to articles 51 and s. of the GDPR and Article 4.1 LCA, it is up to the Chamber

       Litigation as an administrative litigation body of the DPA, to exercise a

       effective control of the application of the GDPR and to protect the freedoms and rights

       fundamental rights of natural persons with regard to processing and to facilitate the free flow

       personal data within the Union.


   26. As the defendant acknowledges, the website collects personal data

       personal through 3 types of cookies, namely audience cookies; cookies "box of

       dialog” and session cookies, and therefore processes this personal data.


   27. The Litigation Chamber is competent to rule in cases concerning the

       processing of personal data, pursuant to Article 4, § 1 of the LCA, of

       Article 55 of the GDPR and in compliance with Article 8 of the Charter of Fundamental Rights

       of the European Union.


   28. Furthermore, under Belgian law, the Belgian Institute for Postal Services and

       Telecommunications (BIPT) is the controller for the Communications Act

       Electronic (ECL hereinafter), including for section 129 of the ECL which implements section 5.3, Decision on the merits 11/2022 - 9/32




                                    1
        of Directive 2002/58 (hereinafter, the "e-privacy Directive"), in accordance with Article 14, §

        1 of the law of 17/01/2003 relating to the status of the regulator of the postal and

        Belgian telecommunications.


                                                                                              2
    29. In its Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR, the

        European Data Protection Board (hereafter: "EDPB") has confirmed that the

        data protection authorities are competent to apply the GDPR to

        data processing, also in the context where other authorities would be


        competent, under the national transposition of the e-privacy Directive, for

        monitor certain elements of personal data processing.


    30. It also emerges from this opinion that the e-privacy Directive aims to “specify and supplement”


        the provisions of the GDPR with regard to the processing of personal data

        personnel in the electronic communications sector, and in doing so to guarantee the

        compliance with Articles 7 and 8 of the Charter of Fundamental Rights of the EU.


    31. The Litigation Chamber notes, in this regard, that Article 8.3 of the Charter provides that the


        processing of personal data is subject to the control of an authority

        independent, responsible for data protection.


    32. In addition, the predecessor of the EDPB (the article 29 working group on the protection


        Data Protection, hereinafter: Data Protection Working Group) has also

        clarified that GDPR requirements for obtaining valid consent

        apply to situations that fall within the scope of the E-privacy Directive. 3



    33. In the Planet judgment49, the Court of Justice of the European Union confirmed in particular that

        the collection of data through cookies could be qualified as processing of

        personal data. Therefore, the Court interpreted Article 5.3 of the Directive

        Privacy and electronic communications using the GDPR, specifically on the


        basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article

        13 GDPR (information to be provided).






1Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data

personal character and the protection of privacy in the electronic communications sector (Directive on privacy and

electronic communications, as amended by Directive 2009/136/EC of the European Parliament and of the Council of
November 25, 2009, hereinafter the “ePrivacy Directive”).

2 EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, § 69

3Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679,

WP259, p. 4.
4Judgment of the Court of 1 October 2019, Planet49, C-673/17, ECLI:EU:C:2019:801, paragraph 45.

5As well as with the help of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to the protection

of natural persons with regard to the processing of personal data and on the free movement of such data, Decision on the substance 11/2022 - 10/32




   34. As indicated above, BIPT's competence to supervise certain elements of the

        processing – such as the placement of cookies on the terminal equipment of


        the Internet user – does not prejudice the general competence of the DPA. As precised

        by the EDPB, the data protection authorities remain competent for matters

        processing (or elements of processing) for which the e-privacy Directive does not provide

        no specific rules. There is indeed a complementarity of competences between BIPT

        and ODA in the specific case, insofar as on the basis of Article 4 of the LCA, ODA is


        responsible for monitoring compliance with the fundamental principles of the protection of

        data (as affirmed by the GDPR and in other laws containing provisions

        relating to the protection of personal data), and that the consent

        constitutes a fundamental principle in this field.


   35. The complaint also relates to the processing occurring following the placement of the cookie


        litigation.

                                                                                             7
   36. Furthermore, Opinion 5/2019 on the interaction between the e-privacy Directive and the GDPR

        aforementioned of the EDPB also indicates that national procedural law determines what

        must happen when a data subject lodges a complaint with the authority of

        data protection relating to the processing of personal data (such as by


        example the collection of data by means of cookies), without also complaining about

        (potential) breaches of the GDPR. This corresponds well to the present case.


   37. In this regard, the Court of First Instance of Brussels has clearly indicated that the

        legal predecessor of the DPA was competent to submit a requisition to a

        court "to the extent that it relates to alleged violations of the privacy law of the


        8 December 1992, to which article 129 of the LCE, which clarifies and completes it, refers
                                    8
        moreover expressly ". As indicated below, article 129 LCE is the implementation in

        Belgian law of article 5.3 of the privacy directive.


   38. The DPA is thus competent to verify whether the requirement of the fundamental principle that

        constitutes consent around the disputed cookie whether or not it complies with the conditions


        GDPR consent.









6EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, § 69.
7
 EDPB, Opinion 5/2019 on the interactions between the "privacy and electronic communications" directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, 12/03/2019,
§70
8
 Brussels Court, 24th Civil Affairs Chamber, 16 February 2018, case file no. 2016/153/A, point 26, p. 51, available at
: https://www.autoriteprotectiondonnees.be/news/lautorite-de-protection-des-donnees-defend-son-argumentation-devant-
the court-of-appeal-of-brussels., Decision on the merits 11/2022 - 11/32




   39. The DPA is also competent to verify compliance with all the other conditions

       made mandatory by the GDPR – such as transparency of processing (Article 12 of the

       GDPR) or the information to be communicated (article 13 of the GDPR).


   40. As confirmed by the Court of Justice in the Facebook and Others judgment, only the recording and

       the reading of personal data by means of cookies falls within the scope

       application of Directive 2002/58/EC, while “all previous operations and

       subsequent processing activities of such personal data by means of

       other technologies do fall within the scope of [GDPR]. 9





        IV.2- As regards breaches of the principles of transparency (Article 5.1.a and 12 and 13

        of the GDPR) and lawfulness (Article 6 of the GDPR)


    IV.2.1.1-Reminder of the basic legal principles concerning the use of tracking tools and

    Cookies

   41. Before examining the corresponding shortcomings identified by the IS report, the

       Litigation Chamber considers it useful, for educational purposes, to conduct a short

       introduction to cookies and to recall the basic legal principles concerning

       internet user tracking tools, including cookies.


   42. The term tracers includes cookies and HTTP variables, which may in particular

       pass through invisible pixels or "web beacons", "flash" cookies, access to


       terminal information from APIs (LocalStorage, IndexedDB, identifiers

       advertising such as IDFA or android ID, GPS access, etc.), or any other identifier

       generated by software or an operating system (serial number, MAC address,

       unique terminal identifier (IDFV), or any set of data used to calculate

       a unique fingerprint of the terminal (for example via fingerprinting).


   43. These cookies and other tracers can be distinguished according to different criteria, such as

       the purpose they pursue, the field that places them or their lifespan. The

       cookies can thus be used for many different purposes (among others,

       to support communication on the network -“connection cookie”-, to measure

       the audience of a website - “audience measurement cookies, analytical cookies or cookies

       statistics”-), for marketing and/or behavioral advertising purposes, for

       authentication…).


   44. Cookies can also be distinguished according to the domain that places them, they are thus “of

       first party" or "third party". “First party” cookies are placed directly




9
 Judgment of the Court of 15 June 2021, C-645/19, ECLI:EU:C:2021:483, paragraph 74., Decision on the merits 11/2022 - 12/32



    by the owner of the website visited, unlike "third-party cookies", set up by a

    domain different from the one visited (for example when the site incorporates elements

    other sites like images, social media plug ins -the "Like" button of

    Facebook for example- or advertisements). When these elements are extracted by the

    browser or other software from other sites, these may also


    place cookies that can then be read by the sites that have placed them. Those "

    third-party cookies" allow these third parties to monitor the behavior of Internet users in the

    time and across many sites and to create, from this data, profiles of

    internet users.


45. Cookies can also be distinguished according to their period of validity, between cookies "of

    session” and “persistent” ones. “Session cookies” are automatically deleted

    when closing the browser while “persistent cookies” remain stored

    on the device used until their expiration date (which can be expressed in minutes,

    days or years).


46. From a legal point of view, a distinction should be made between tracers that must be subject to

    consent by the user, of those who should not be subject to it.


47. Trackers that do not require consent are those strictly

    necessary for the provision of an online communication service expressly

    requested by the user, or the tracers which aim to allow the transmission of the

    communication by electronic means. These trackers do not require consent

    users. The processing of personal data in these

    tracers is generally based on the legitimate interest of the data controller

    (Article 6.1.f) of the GDPR).


48. This does not, however, prevent, in compliance with the principle of transparency, informing

    Internet users of their use and remind them that browser settings can

    allow them to block them and in this case to mention the effects potentially

    negative for the operation of the site. Processing of personal data

    associates obviously remain subject to the principles of the GDPR.


49. Cookies that do not require consent include those

    retaining the choice expressed by users on the deposit of tracers, those intended for

    authentication with a service, those allowing the content of a

    shopping cart, or even those personalizing the user interface (for example, for the

    choice of language or presentation of a service), when such personalization

    constitutes an intrinsic and expected element of the service., Decision on the merits 11/2022 - 13/32




   50. Other trackers and cookies are subject to prior consent. the

        processing on the basis of legitimate interest is also prohibited for these cookies. All

        cookies not having the exclusive purpose of allowing or facilitating communication

        by electronic means or not being strictly necessary for the supply of a service of

        online communication at the express request of the user therefore require a

        prior consent. These can for example be linked to the display of advertising

        personalized or non-personalized (when tracers are used to measure

        the audience of the advertising displayed in the latter case) or to functionalities of

        sharing on social networks. In the absence of consent (assuming therefore


        of a user's refusal), these tracers cannot be deposited and/or read on his
                 10
        terminal.


    IV.2.1- As to the breach concerning the use of a cookie without prior information

    of the user


   51. In essence, the IS notes two shortcomings in this respect:


    - Article 12.1 of the GDPR provides that the controller must take measures

    appropriate to provide the person concerned with any information referred in particular to

    Article 13 of the GDPR in a concise, transparent, understandable and easily accessible way

    accessible, in clear and simple terms. Article 12.2 of the GDPR provides that the controller

    processing must facilitate the rights of the data subject.


    - Article 13.1 and 2 indicates, concerning the information to be provided when data to be

        personal character are collected from the data subject:


“1. Where personal data relating to a data subject is

collected from this person, the data controller provides him, at the time when the
data in question are obtained, all of the following information:


a) the identity and contact details of the controller and, where applicable, of the representative

  of the controller


(b) where applicable, the contact details of the data protection officer;


c) the purposes of the processing for which the personal data are intended as well as the
  legal basis for processing;


d) where the processing is based on Article 6(1)(f), the legitimate interests
  sued by the controller or a third party;






10See Recommendation No. 01/2020 of the Knowledge Center of January 17, 2020 relating to the processing of personal data
personal character for direct marketing purposes concerning many practical aspects and examples on a use
GDPR-compliant cookies, in particular regarding consent and transparency (p78 +s). See also the file
CNIL practice "Cookies and tracers: how to bring my website into compliance?" », October 01, 2020,
https://www.cnil.fr/fr/cookies-et-traceurs-comment-mise-mon-site-web-en-conformite, Decision on the merits 11/2022 - 14/32



e) the recipients or categories of recipients of the personal data, if they

  exist; and


(f) where applicable, the fact that the controller intends to transfer data
 personal data to a third country or to an international organisation, and
 the existence or absence of an adequacy decision issued by the Commission or, in the case

 transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the
 reference to the appropriate or adapted safeguards and the means of obtaining a copy or
 where they were made available;

2. In addition to the information referred to in paragraph 1, the controller shall provide the
data subject, at the time the personal data is obtained, the
following additional information that is necessary to ensure processing

fair and transparent:


a) the retention period of the personal data or, where this is not possible,
  the criteria used to determine this duration;
b) the existence of the right to ask the controller for access to personal data

  personal information, rectification or erasure thereof, or limitation of processing relating to
  the data subject, or the right to oppose the processing and the right to the portability of the

  data;

c) where the processing is based on point (a) of Article 6(1) or on Article 9,

  paragraph 2(a), the existence of the right to withdraw consent at any time, without
  undermine the lawfulness of processing based on consent made before the withdrawal of
  this one;


d) the right to lodge a complaint with a supervisory authority;


(e) information on whether the requirement to provide personal data

  personnel is of a regulatory or contractual nature or if it conditions the conclusion of a
  contractandthepersonconcernedisrequiredtoprovidethepersonaldata,thus
  only on the possible consequences of the non-provision of these data;


f) the existence of automated decision-making, including profiling, referred to in Article 22,

 paragraphs 1 and 4, and, at least in such cases, useful information concerning the logic
 underlying data, as well as the significance and anticipated consequences of such processing for the
 concerned person.




   52. The Litigation Chamber recalls that the objective of the principle of transparency

       light to Articles 12, 13 and 14 of the GDPR is that the data subject should be,

       according to the principle of loyalty of article 5.1. a), able to determine in advance what

       the scope and the consequences of the treatment include in order not to be caught without

       at a later stage as to how his personal data has been

       used. The information should be concrete and reliable, it should not be

       formulated in abstract or ambiguous terms nor leave room for different

       interpretations. More specifically, the purposes and legal bases of the processing

       personal data should be clear., Decision on the merits 11/2022 - 15/32



                               11
   53. In the Planet49 judgment, the Court of Justice of the European Union held that for the

        placement of cookies, the controller had to provide information on the

        duration of operation of cookies as well as on the possibility or not for third parties

        to have access to these cookies, in order to guarantee fair and transparent information

        (Article 5.3 of the Privacy and Electronic Communications Directive concerning the

        placement of cookies is thus read together with the principle of fairness (article 5.1. a) and the

        information obligations of Article 13.2 (a) and (e) of the GDPR).


   54. Under Articles 5.2 and 24 of the GDPR, the controller must take steps

        appropriate technical and organizational measures to guarantee and be able to

        prove that the processing of personal data using cookies is carried out
        in accordance with Articles 12 and 13 of the GDPR.


   55. In the present case, the IS notes, firstly, that when connecting to the site of the

        defendant (home page), a cookie was already loaded in the browser so

        that no information had been delivered to the user. Personal data has

        therefore been processed before the information required by Article 13 GDPR is

        communicated. The cookie was named "third_party_c_t", and allowed to fill in the

        defendant on whether or not the user's browser accepted cookies from

        third parties (preference cookies from participating companies).


   56. The defendant acknowledges in its submissions the absence of prior information from

        the user regarding the placement of the cookie, at least in the version of the site at

        time of the investigation carried out by the inspection service. She first emphasizes


        time that the cookie in question was deleted in April 2020 following a change in the

        website. She adds that it was a first party cookie and qualified as essential

        (strictly necessary therefore, which the IS report does not dispute). In addition, this cookie

        did not constitute a risk for the rights and freedoms of the persons concerned because it

        did not resemble an identifier.


   57. With regard to the period between the entry into force of the GDPR, on 25 May 2018, and the

        deletion of said cookies in April 2020, the defendant indicates that for reasons

        techniques the cookie was placed before the information banner on the use of

        cookies by the site does not appear. She also explains that it was impossible to make appear

        information about the cookie in the language of the user since it is on this

        page that the user had to select his language/country.


   58. It also specifies that insofar as it was an essential cookie, the consent


        of the user was not required. This is not disputed in the IS report.





1Judgment of the Court of 1 October 2019, C-673/17, ECLI:EU:C:2019:801., Decision on the merits 11/2022 - 16/32




   59. The Litigation Division takes note of the modification of the defendant's website,

        which, as the latter indicates in its conclusions, reinforces its compliance with the

        GDPR. It also takes note of the deletion in April 2020 of the cookie in question. It does not

        remains that between the entry into force of the GDPR (May 25, 2018) and the

        deletion of said cookie in April 2020, the defendant collected and processed data

        personal information without first providing information to the user.


   60. The arguments put forward by the defendant cannot be followed, the first according to which


        the cookie was loaded before the information banner appeared for “reasons

        techniques”, and the second, according to which the information could not be communicated to

        the user before loading the cookie since it is precisely on the page visited

        that he had to choose his language/country. Regarding the language argument not yet

        selected by the user, it was appropriate, therefore, to display the warning of

        the use of the cookie in English, a language widespread and commonly used by others

        websites before selecting the user's language. 12


   61. The argument underlined by the plaintiff according to which the impact in terms of

        terms of risks to the rights and freedoms of users was low: indeed,


        the obligation of prior information applies to all types of cookies, whether their impact

        on the right to data protection of data subjects is weak or not.


   62. The Litigation Chamber finds a breach of Articles 12 and 13 of the GDPR, between

        the entry into force of the GDPR (i.e. May 25, 2018) and the withdrawal of the “third_party_c_t” cookie

        in April 2020.


    IV.2.2- As for the transparency of the box indicating that “information not

    identifiable” are collected


   63. The second shortcoming noted by the SI report concerns the screen which appeared (at

        time of the survey, therefore before the modification of the website), when the user

        chose his language and his country. This screen indicated: “This website collects and uses

        non-identifiable information to analyze the activity of the site in order to improve its navigation.


        You can control how this information is collected and used” and

        was accompanied by a hyperlink to the “Protecting Your Privacy” page.


   64. The SI report emphasizes that although this information is not identifiable, it

        remain personal data. According to the SI, this box is not "transparent





12The Litigation Chamber also refers to the extensive practical information on cookies available on
the APD website at the url https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/coovoir. Also
Recommendation n° 01/2020 of January 17, 2020 relating to the processing of personal data for the purposes of
direct marketing concerning many practical aspects and examples of the use of cookies in accordance with the GDPR,
in particular regarding transparency (p78 +s), Decision on the merits 11/2022 - 17/32



    and does not allow the user to get an idea of what is collected and for what

    reason this collection is made.


65. The defendant responds in this regard that a dialog box replaces, since the

    modification of the website, the screen (or box) in question. It also disputes that for the

    period prior to the amendment the box was not transparent, in that it was sufficient to

    the user to click on the hyperlink to obtain information relating to the

    “non-identifiable information” collected. This screen also remained displayed for

    the user's entire visit, unless they close it. She adds that this information


    were available on other pages of the site as well as in the policy document of

    the privacy of the site. It also recalls that insofar as these cookies were not

    not subject to prior consent (since they were strictly necessary), the

    GDPR does not require the controller to provide all the information

    useful in a single advance information box, which, according to her, would not be

    not feasible in practice.


66. The Litigation Chamber recalls the requirement of recital 58 of the GDPR according to which "

    The principle of transparency requires that any information sent to the public or to the

    person concerned is concise, easily accessible and easy to understand and formulated

    in clear and simple terms and, in addition, where appropriate, illustrated with elements

    visuals. ".


67. It also recalls the requirement of Article 12.1 of the GDPR, which stipulates that “The person responsible for the

    processing takes appropriate measures to provide any information referred to in

    Articles 13 and 14 as well as to carry out any communication under Articles 15 to

    22 and Article 34 with regard to the treatment to the data subject in a way

    concise, transparent, understandable and easily accessible, in clear and

    simple, in particular for information intended specifically for a child. " (we

    emphasize)


68. In other words, this means that before consent is sought from

    the user, the principle of transparency imposes that precise information must be

    be communicated on the data controller, the purposes pursued by the

    cookies and other tracers that will be deposited and/or read, the data they collect and

    their lifespan. The information must also relate to the rights that the GDPR recognizes

    to the user (or data subject), including the right to withdraw consent.


69. As indicated above, the information must be visible, complete and highlighted.

    It must be written in simple and understandable terms for any user. That

    implies, in particular, that the information be written in a language that is easily

    understandable for the "target audience" to which it is addressed. For example, if the website, Decision on the merits 11/2022 - 18/32




        is intended for a French-speaking and/or Dutch-speaking public, the information must be written

        in French and/or Dutch. 13


   70. The Litigation Chamber considers that the defendant failed, before the modification of the

        site, to the obligation of transparency insofar as the box did not propose, at all

        least, a direct link to the required information about the cookies used under


        Article 13 of the GDPR, instead of a general reference to the privacy policy of the

        defendant.

                                                                                                    14
   71. In this regard, the Chamber endorses the recent guidelines of the CNIL, which

        also point out that "A simple reference to the general conditions of use does not

        could suffice.


         At a minimum, the provision of the following information to users, prior to

         collection of their consent, is necessary to ensure the informed nature of this

         last :


         - the identity of the person(s) responsible for processing the read or write operations;

         - the purpose of the data reading or writing operations;

         -how to accept or refuse tracers;

         - the consequences attached to a refusal or acceptance of tracers;

         - the existence of the right to withdraw consent.”



   72. The Litigation Chamber can only repeat the key role of the principle of transparency in


        respect for the data protection rights of data subjects. This principle

        contributes to guaranteeing freedom of choice to users by giving them more

        control over their personal data, in particular in the context of

        large-scale Internet tracing practices in our economy

        digital.


   73. The Litigation Division notes from the outset and in the alternative that, in addition to the necessary

        compliance with the principle of transparency, as developed below, the consent of

        the user (for non-functional cookies) must also respond to a certain


        number of requirements.










13As indicated below, in the present case, in the absence of being able to identify the target language from the first page of the site, the
controller may use English in order to allow the user to choose his language.

14 Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82
of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to "
cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 23-25, Decision on the merits 11/2022 - 19/32




   74. For information purposes, the Litigation Division refers to the APD website, where are available

        many practical tips for GDPR-compliant use of cookies.


   75. In the present case, the Litigation Division finds that the defendant has rectified

        breaches of the principle of transparency mentioned above by modifying its

        site. The breach identified in the IS report is therefore no longer relevant.





    IV.3- Regarding breaches of Articles 12 and 13 of the GDPR


   76. The IS report also indicates that the Privacy Policy document of the

        defendant would not comply with Articles 12 and 13 of the GDPR, firstly because the

        information provided is not always concise, transparent or understandable, and

        second, because they are incomplete.


    IV.3.1- As for the fact that the information is not always transparent or

        understandable


   77. The IS considers that the information contained in the Privacy Policy document


        of the defendant are not always transparent or understandable for several

        reasons.


   78. A- Firstly, the IS points out that the language used would be neither coherent nor logical because the

        defendant uses the terms “personal information” and “personal data”

        instead of “personal data” as in the GDPR.


   79. As indicated above, Article 12 of the GDPR requires that the information, to be provided according to the

        articles 13 and 14 of the GDPR, are communicated "in a concise, transparent,

        understandable and easily accessible, in clear and simple terms”. The Group of

                                                                                                16
        work “Article 29” specifies in its Guidelines on Transparency that “

        the requirement that this information be “understandable” means that it should

        be understood by the majority of the target audience. Comprehensibility is closely

        related to the requirement to use clear and simple terms”.


   80. The Litigation Chamber considers that the defendant must be followed when explaining

        that the GDPR does not require the use of the term “personal data”, that

        the terms "personal information" and "personal data" may be







15 https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/cookies. See also the CNIL website “Questions-
answers on the amending guidelines and the “cookies and other trackers” recommendation available

via https://www.cnil.fr/fr/questions-reponses-lignes-directrices-modificatives-et-recommandation-cookies-traceurs.
16 Article 29 Working Party, “Guidelines on Transparency within the meaning of Regulation (EU) 2016/679”, Revised version
and adopted on 11 April 2018, WP260 rev.01, 17/FR, p.8., Decision on substance 11/2022 - 20/32




       understood by the majority of the intended audience (particularly in the context of reading

       paragraphs using them), and that they can be considered as synonyms.


   81. The Chamber further notes that the Respondent now only uses the

       terms “personal data” in its updated version of its Policy document

       of privacy.


   82. This breach raised by the IS is therefore invalid.


   83. B- Secondly, the SI raises that the warning of “consequences

       undesirable” in the event of refusal of cookies is not understandable and therefore prevents a

       free consent, since it does not explain what these undesirable consequences are.


   84. The Article 29 Group expressed itself in these terms:


    “A key aspect of the principle of transparency highlighted in these provisions is

    that the data subject should be able to determine in advance what the scope

    and the consequences of the treatment include in order not to be taken unawares at a stage

    as to how his personal data has been used. It is

    also an important aspect of the principle of fairness under Article 5(1) of the

    GDPR, which is also linked to recital 39 which provides that “[t]he natural persons

    should be informed of the risks, rules, safeguards and rights associated with the processing of

    personal data”. More particularly, with regard to the processing of

    complex, technical or unforeseen data, the position of the G29 is that those responsible


    processing should, in addition to providing the information set out in Articles 13 and 14

    (discussed later in these guidelines), define separately and in a

    clear the main consequences of the treatment: in other words, what will actually be the effect

    specific processing described in a privacy statement or notice

    private for the data subject. In accordance with the principle of responsibility and

    in accordance with recital 39, controllers should assess whether there are

    for the natural persons concerned by this type of treatment of the particular risks

    which should be brought to the attention of those concerned. Such an assessment could

    help provide insight into the types of treatment that are likely to have the most impact

    on the fundamental rights and freedoms of data subjects with regard to the protection of

    their personal data. (emphasis added)



   85. According to the defendant, it is clear that the words “undesirable consequences”,

       read in their context, refer to the use of the site, which does not operate in a way


       optimal in case of rejection of essential cookies. She specifies that this warning is repeated



17
  Ibid, Decision on the Merits 11/2022 - 21/32



       in several different places on the site, and that in the new version of the site, a table

       explaining the effects of rejecting cookies has been added.


   86. The Litigation Chamber is of the opinion that the use of these terms allows users

       to understand the practical consequence of rejecting the cookie. Nevertheless, beyond the

       question of clearly informing the user about the “undesirable consequences”

       (impossibility of using the site or limited use) related to the rejection of the cookie, to

       Subsidiarily, the Litigation Chamber stresses that this “cookiewall” practice does not

       can be tracked only when the rejected cookie is a strictly necessary cookie (unless


       the opposite of the case of a non-functional cookie) (see below, part IV.7.2 on this subject).

   87. The defendant can therefore be followed when it maintains that these terms refer

       sufficiently clear way to the use of the website.


   88. C- Finally, the IS report argues that the reference to “additional information

       » concerning cookies on the Google, Firefox, Windows sites, on the site of the

       defendant is not understandable either in the absence of explanations

       additional.


   89. The defendant maintains that this reference to the “additional information” on the

       cookies to the main browsers (Google, Firefox, Windows) is a practice

       It specifies that most websites using cookies do the same, including

       the ODA website. It specifies that the site even contains an additional information section


       entitled “Get to know your computer’s privacy settings”,

       which provides concrete explanations with supporting images.

   90. In this context, the Litigation Division is of the opinion that the reference to the “information

       additional” on browser cookies (Google, Firefox, Windows) is


       understandable enough for the user.

IV.3.2- As to the fact that the information is not complete

   91. The IS then argues that the information contained in the Life Policy document


       defendant's privacy are not complete for two reasons.

   92. A- Firstly, the SI raises that the existence of the right to withdraw consent at any

       moment is not mentioned for the processing of personal data, but


       only for the management of cookies.

   93. Article 7.3 of the GDPR lays down strict conditions for the withdrawal of consent

       valid: (a) the data subject has the right to withdraw consent at any time,

       (b) it must be informed in advance, and (c) it must be as simple to withdraw as to


       to give his consent. Pursuant to article 129, last paragraph of the ECL, the person responsible, Decision on the merits 11/2022 - 22/32



    of the processing is obliged to give "free of charge" the possibility to end users of

    the terminal equipment concerned "to withdraw consent in a simple manner".


94. This right to withdraw consent must therefore be subject to prior information

    (Article 7.3.b), and should also be read in conjunction with the requirement for processing

    fair and transparent within the meaning of Article 5 and Article 13.2.c of the GDPR. A

    non-existent or incomplete information concerning the right to withdraw consent

    would imply that the consent would be given de facto for an infinite period and that the

    data subject would be deprived of their right to withdraw their consent. These rules


    apply both with regard to "first party" cookies and those of

    "third party ".

95. The defendant replies that except for analytical cookies (and in the rare cases where

    personal data is contained in a contact form), the site does not process


    no personal data for which consent is required. However, the statement

    privacy policy indicates that users of the site can erase cookies,

    which amounts, unequivocally according to the defendant, to withdrawing their consent. She

    concludes that further mention of the existence of the right to withdraw consent

    is not necessary.


96. The defendant adds that the APD does the same on its own website, that is to say uses

    also analytical cookies based on consent (and consent forms)

    contact), without explicit mention of the “right to withdraw consent” in its

    "Data Protection Statement".


97. The Litigation Division takes note of the fact that in the current version of the page "

    Protection of your privacy", a specific statement on the existence of the right to withdraw

    his consent for the processing of personal data has been inserted, and considers

    that the information is sufficiently complete.


 IV.4- Regarding breaches of Article 30 of the GDPR


98. The IS also points out that the processing register does not mention third countries

    to whom several categories of personal data are transmitted, but merely

    a reference to documents from subcontractors with whom it has entered into agreements.

99. The defendant replies that the register is based on a model of a European regulator,


    which includes referrals. She explains that she works with different subcontractors

    Americans providing cloud computing type services, and that the information on

    these third countries may vary according to their servers and types of services. She adds that the

    purpose of the references to these documents of its subcontractors is to have information

    always complete and up-to-date. It also clarifies that this concerns only, Decision on the merits 11/2022 - 23/32




       a few boxes of the register, that it is otherwise completed in accordance with the GDPR, and

       that it does not prohibit doing so.


   100. The Litigation Chamber strongly recommends that third countries be indicated and

       easily identifiable in the processing register, particularly in view of the

       recent case law of the CJEU in terms of transfer to third countries. On the basis of

       Article 100.9 of the LCA, it orders the defendant to adapt its register of

       processing by clearly indicating the third countries to which data are sent

       personal data, to better respond to the case law of the CJEU.





    IV.5- Regarding breaches of Articles 24 and 32 of the GDPR


   101. The IS criticizes the use of the protocol (url link) http and not https, in that this

       constitutes a breach of the security obligation.


   102. The defendant replies that since January 15, 2020 the site has switched to the protocol


       https. She also explains that this migration has been an ongoing project since 2014, but that

       its implementation has been long and difficult due to the fact that it must collaborate with all

       its members (more than a hundred). She adds that since her site only processes a small amount of data

       personal data, the risks for the persons concerned were low, and that

       given the risk-based approach of the GDPR, this migration to the https protocol

       was not necessarily necessary.


   103. Without pronouncing further on this subject, the Litigation Chamber takes note of the

       migration of the site to the https protocol, and notes that the breach mentioned in the report

       of the IS is therefore no longer relevant.




IV.6- Regarding breaches of Articles 24 and 37 of the GDPR




   104. In addition, the IS criticizes the absence of an official decision documenting the choice to appoint

       whether or not a Data Protection Officer (DPO hereafter), and considers that the defendant should have

       appoint a DPO because it uses a cookie which allows “regular and systematic monitoring at

       large scale of the persons concerned”.


   105. The respondent notes that the GDPR does not require a formal procedure to be followed for

       the decision to appoint a DPO or not, and that documenting the reasons for this

       decision not to appoint is a recommendation and not an obligation.





18 Judgment of the Court of 16 July 2020, C-311/18, Facebook Ireland and Schrems, ECLI:EU:C:2020:559. (“Schrems II case”), Decision on the merits 11/2022 - 24/32




   106. Next, concerning the cookie which, according to the IS, allows "regular and systematic monitoring at

       large scale of the persons concerned”, the defendant replies that the cookie is not

       no longer used since April 2020. She adds that even when used, this cookie does not

       did not justify appointing a DPO because this cookie was not an identifier since it was the

       even for everyone therefore did not allow to follow a user”. Nevertheless,

       insofar as this cookie contained personal data, it allowed

       to identify the persons concerned.


   107. The defendant argues that there was no “large-scale monitoring”, and that even if

       its cookies allowed “systematic and large-scale monitoring” -quod non-, it would have

       still had to constitute a “basic activity” of the defendant, which was not

       not the case (proof would be that today it continues its same activities but without the

       cookie in question).


   108. The Litigation Division is of the opinion that the defendant can be followed when it

       argues that the GDPR does not require you to follow a formal procedure for the decision to

       appoint a DPO or not, and that documenting the reasons for this decision not to


       not naming any is a recommendation and not an obligation.


   109.Concerning the obligation to appoint a DPO, the Litigation Chamber recalls the prescribed

       of Article 37.1.b) of the GDPR, according to which data controller must appoint a DPO

       if “the core activities of the controller or processor consist of

       processing operations which, due to their nature, their scope and/or their

       purposes, require regular and systematic monitoring on a large scale of people

       concerned”. This article should be read in conjunction with the Guidelines

       concerning the Group's data protection officers article 29 . Without

       of “systematic and large-scale monitoring”, it cannot be concluded that there has been a breach

       in Article 37 of the GDPR.





    IV.7- Regarding the content of the complaint


   110. After considering the shortcomings raised by the IS, the Litigation Chamber

       examines below the grievances as expressed by the complainant in his complaint.


   111. As indicated above n°12 to 14, the complainant raises two grievances in his complaint. He indicates

       in the first place that the tool for selecting advertising preferences does not

       does not work, in that the opt-out cookie for many third parties

       does not work (although he clicks the decline option, the accept option re-engages




19
  WP243rev., Decision on the merits 11/2022 - 25/32



    automatically). He thus raises that his consent to these cookies is forced and therefore

    not free within the meaning of Articles 4.11 and 7 of the GDPR.


112. He also complains that the website requires the user to accept cookies in order to

    be able to select their advertising preferences. The cookie in question makes it possible to

    inform the defendant whether or not the user's browser accepts the

    third-party cookies. The Litigation Chamber therefore understands that the plaintiff

    opposes the placement of the cookie, as well as the subsequent processing of its data

    personal by the defendant.


     IV.7.1- Concerning the complainant's first grievance, relating to the malfunctioning of

     the tool for choosing advertising preferences



113. The respondent responds to the complainant's first grievance that it is clearly indicated on his


    site (in the same tool for choosing preferences as well as in the General Conditions

    of use) that when using ad blocking software, the tool of choice may

    not work. It also appears from the print screen of the complainant's browser

    in the IS report that it actually uses such software. The IS report (based

    in particular on the technical analysis report which includes a test of the good

    operation of the control tool) does not raise any malfunction of the control tool

    control. Therefore, the Litigation Chamber cannot support the complainant in his grievance.

    that his consent would be forced, in violation of articles 4.11 and 7 of the GDPR.


     IV.7.2- Regarding the complainant's grievance that the defendant's website obliges

     the user to accept cookies in order to be able to use the site, a practice known as "cookie

     wall»

114. Before examining the specific issue of the cookie wall, for educational purposes, the

    Litigation Division considers it useful to recall the rules regarding

    consent.


     IV.7.2.1- Concerning the criteria for valid consent



115. Article 4.11 of the GDPR defines the “consent” of the data subject as

    following: "any manifestation of will, free, specific, enlightened and unequivocal by

    which the person concerned accepts, by a declaration or by a clear positive act, that

    personal data concerning him are processed”.


116. Article 7 of the GDPR also sets out the conditions applicable to consent:


     “1. In cases where processing is based on consent, the controller
     is able to demonstrate that the data subject has given consent to the
     processing of personal data relating to him., Decision on the merits 11/2022 - 26/32





        2. If the consent of the data subject is given in the context of a
        written statement which also concerns other matters, the request for

        consent is presented in a form that clearly distinguishes it from these other
        questions, in an understandable and easily accessible form, and formulated in

        plain and simple terms. No part of this statement that constitutes a violation of the
        this regulation is not binding.


        3. The data subject has the right to withdraw consent at any time. the
        Withdrawal of consent does not affect the lawfulness of processing based on the
        consent given before this withdrawal. The person concerned is informed before

        giving consent. Withdrawing is as easy as giving consent.


        4. When determining whether consent is freely given, consideration should be given to
        the greatest account of the question of knowing, inter alia, whether the performance of a contract,
        including the provision of a service, is subject to consent to the processing of

        personal data which is not necessary for the execution of the said contract.”

   117. Also, according to recital 43 of the GDPR, “consent is presumed not to have


       freely given if separate consent cannot be given to different

       personal data processing operations although it is appropriate

       in the present case".


   118. Furthermore, Article 5.3 of the ePrivacy Directive, as transposed by Article 129 of the

       LCE, lays down the condition that the user "has given his consent" for the placement and

       the consultation of cookies on its terminal equipment, with the exception of

       the technical recording of information or the provision of a requested service

       expressly by the Subscriber or End User when placing a cookie is

       strictly necessary for this purpose.


   119.As indicated above, a cookie is qualified as “functional” when it is

       indispensable for carrying out the sending of a communication via a communications network

       electronically or to provide an expressly requested service.


   120. Recital 17 of this Directive specifies that for its application, the notion of

       "consent" shall have the same meaning as "consent of the person

       data subject", as defined and specified in the Data Protection Directive 95/46 20

       now replaced by the GDPR.


   121. In the Planet judgment49, the Court of Justice of the European Union clarified the requirement of

       consent for the placement of cookies following the entry into force of the GDPR and


       explained that explicit active consent was now required:







20Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons

with regard to the processing of personal data and on the free movement of such data., Decision on the substance 11/2022 - 27/32




         "Active consent is thus now expressly provided for by the Regulation


         2016/679. It should be noted in this regard that, according to recital 32 of that regulation,

         the expression of consent could be done in particular by ticking a box when

         consultation of a website. That recital, on the other hand, expressly excludes

         there is consent “in the event of silence, default ticking or inactivity”. He


         it follows that the consent referred to in Article 2(f) and Article 5(3) of the

         Directive 2002/58, read in conjunction with Article 4(11) and Article 6(1),

         under a), of Regulation 2016/679, is not validly given when the storage

         information or access to information already stored in the terminal equipment of


         the user of a website is authorized by a box checked by default that the user

         must uncheck to refuse consent." 21



    122. The consent must also be "specific". The Litigation Chamber refers to the

                                                                                               22
        Guidelines on consent within the meaning of Regulation 2016/679 which have been

        ratified by the EDPB:


         "Article 6(1)(a) confirms that the consent of the person

         concerned must be given in connection with "one or more specific purposes" and that the

                                                                                             23
         data subject has a choice “regarding each of these purposes”. This means

         "that a data controller who seeks consent for various purposes

         should provide separate consent for each purpose so that

         users can give specific consent for specific purposes." 24




    123. More specifically, the user of the website should receive information

        among other things on the methods of expressing his will about cookies, and

        how he can "accept them all, accept only some or none". 25



    124. For example, confirming a purchase or accepting terms and conditions is not sufficient

        therefore not to consider that the consent has been validly given to the placement or

        when reading cookies. Nor can consent be given for the sole

        "use" of cookies, without further details as to the data collected via these cookies


        or as to the purposes for which this data is collected. The GDPR requires, in

        indeed, a more detailed choice than a simple “all or nothing”, but it does not however require a



21
  Planet49 stop, points 61 and 62
22Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679,

WP259, p. 4
23
  Ibid, p. 14.
24
  Ibid, p. 14.
25Data Protection Working Party, Working Document 02/2013, setting out guidelines on the collection

consent for the deposit of cookies, p. 3, https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp208_fr.pdf, Decision on the merits 11/2022 - 28/32




       consent for each cookie individually. If the manager of a site or a

       mobile application seeks consent for several types of cookies, the user

       must have the choice to give consent (or refuse) for each type of

       cookies, or even, in a second layer of information, for each cookie

       individually.



   125. This position is also defended by the CNIL, which considers that the fact of “collecting

       a single consent for several processing operations simultaneously

       meeting distinct purposes (the coupling of purposes), without the possibility of accepting or

       to refuse purpose by purpose, is also likely to affect, in certain cases, the

       freedom of choice of the user and therefore the validity of his consent. » 26


   126. The Litigation Chamber refers in this respect to the Guidelines of the Group of

       work on data protection on how to obtain consent. According to

       the Data Protection Working Party, consent must be obtained by

                                             27
       cookie or by cookie category.


        IV.7.2.2- Concerning the complainant's second grievance and the practice of the "cookie wall"



   127. With regard to the complainant's second allegation (namely that he is obliged to accept

       cookies to be able to select his advertising preferences - and that he opposes the

       subsequent processing of his personal data by the defendant-), the Chamber

       Litigation recalls that consent must be free. Indeed, as indicated


       supra, the GDPR imposes to “take the greatest account of the question of knowing, between

       others, if the performance of a contract, including the provision of a service, is subject to the

       consent to the processing of personal data which is not necessary for

       performance of the said contract”. According to recital 42 of the GDPR, which clarifies the requirement

       of freedom of consent set out in its article 4, “consent should not be

       considered to have been freely given if the person concerned does not have

       genuine freedom of choice or is unable to refuse or withdraw his

       consent without prejudice”.


                                                                     28
   128. The EDPB condemns, in its recent guidelines, the practice which makes the

       provision of a service or access to a website to the acceptance of write operations or

       reading on the user's terminal, or "cookie wall". We thus read that "In order that the

       consent is given freely, access to the services and functionalities must not



26
  Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82
of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to "
cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 17-19
27
  Ibid.
28EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, 4 May 2020, point 39, p.13, Decision on the merits 11/2022 - 29/32



    be conditioned on the consent of a user to the storage of information, or to the access

    information already stored on a user's terminal equipment". The EDPB adds,

    regarding consent, that:


     “The controller must demonstrate “that it is possible to refuse or withdraw

     consent without prejudice (recital 42). For example, the manager

     of the processing must prove that the withdrawal of consent does not generate costs for the

     person concerned and that there is therefore no obvious disadvantage for those who withdraw

     their consent.




     47. Other examples of harm are deception, intimidation, coercion or any

     significant negative consequence if the person concerned refuses to give his

     consent. The controller should be able to prove that the

     data subject has real freedom of choice regarding the decision to

     whether or not to give consent and that it is possible to withdraw consent without

     suffer harm.



     48. If a data controller is able to demonstrate that a service includes the

     possibility of withdrawing consent without suffering negative consequences, i.e.

     say without the quality of service being reduced to the detriment of the user, this can

     constitute proof that the consent was freely given. The GDPR does not exclude

     all incentives, but it will be up to the data controller to demonstrate that the

     consent was given freely in all circumstances.”



129. The guidelines include concrete examples:


     “49. Example 8: when a user downloads a mobile application from the category

     “lifestyle”, the latter seeks his consent to access the accelerometer of the

     phone. This access is not necessary for the operation of the application, but is

     useful for the data controller who wishes to know more about the movements and

     the activity levels of its users. When the user later withdraws her

     consent, she discovers that the application no longer works except in a

     restraint. This is an example of harm within the meaning of recital 42, which means

     that the consent was never validly obtained (and the controller must therefore

     have all personal data relating to the movements of the

     users collected in this way).



     50- Example 9: A data subject subscribes to a newsletter of a

     fashion brand with general discounts. The retailer requests the, Decision on the merits 11/2022 - 30/32



     consent of the person concerned to collect more data on his

     shopping preferences in order to adapt its offers to its preferences by

     based on their purchase history or a questionnaire completed on a voluntary basis.

     If the person concerned subsequently withdraws their consent, they will again receive

     non-personalized reductions. This is not a prejudice, since only


     the authorized incentive will have been lost.



     51. Example 10: A fashion magazine gives its readers the opportunity to buy

     new make-up products before their official launch.



     52. The products will soon be available on the market, but readers of this review

     benefit from an exclusive preview of these products. In order to take advantage of this

     advantage, readers must give their mailing address and consent to their registration

     on the journal's mailing list. The mailing address is required for shipping and

     the mailing list is used for sending commercial offers for products such as

     as cosmetics or t-shirts throughout the year.



     53. The company explains that the data on the mailing list will only be used

     for the sending of products and advertising leaflets by the magazine itself and will not be

     in no way shared with other organizations.



     54. If the reader does not wish to reveal his address for this purpose, he will suffer no prejudice

     as long as the products are still accessible to him. »


130. The Respondent responds to the grievance raised by the Complainant in its conclusions that it is

    indicated in several places on the site in question that the service provided via the tool of choice

    advertising preferences is based on the use of cookies sent by the companies


    participants, and that if the user does not wish to receive cookies, then he must not

    use the service. It states more precisely in its conclusions (p19):


 • “The very first page of the YOC Website (the one from which one can choose a

     country and language), contains a link titled “How does this website work?” , which leads to

     a page that says:

     “When using the check tool function, small text files called


     "cookies" are used by many of the companies listed to verify

     your current status and make the choice you wish to exercise. These files are

     essential to this function and help identify errors in its functionality. Yes

     you want to ensure that these cookies are not used, please see our, Decision as to substance 11/2022 - 31/32



     five main tips for more details on how to manage cookies in the

     your browser's privacy settings. However, if you do, the tool

     control will no longer function effectively” (Exhibit 9 – pages 1 and 2).




 • The terms and conditions that govern the use of the YOC Website and the YOC Tool

     indicate that:

     “To be able to use the website (…), it is necessary that each of the companies


     participants places a cookie on your web browser (the preference cookie) to

     so that we can remember your selections. Information on the

     cookies are available in our privacy policy: […]. If you use the

     website (…) with another computer or browser, or if you erase/delete your

     cookies, we will not be able to remember your preferences. You will need to return

     on the website (…) to select your preferences again. Additionally, the website

     internet (…) will not work properly if your browser is configured to

     block cookies, as your preferences cannot be saved without use

     of the preference cookie” (Exhibit 9 – page 3).



         • The “Protection of your privacy” page indicates:


     “This website covers the European Union/European Economic Area

     (EU/EEA), as well as Switzerland and Turkey and includes easy-to-use functionality (to

     which any user can access from any of the countries of the

     list) that will disable online behavioral advertising for users (from

     participating companies) who will choose […] Please note that disabling the

     cookies for this purpose will prevent the control tool from functioning. »



131. The Litigation Chamber notes that the user is therefore well informed of the fact that

    the use of these preference cookies is necessary for the operation of the site, and that

    the site imposes the choice to accept this system or not to use the website. The

    Chamber emphasizes that this reasoning can only be followed insofar as it concerns

    strictly necessary cookies, these cookies do not require the consent of the

    the user. In this case, the processing subsequent to the placement of cookies

    is not based on consent, but on the legitimate interest of the data controller

    (Article 6.1.f) of the GDPR).


132. Conversely, this reasoning must be rejected in cases where it concerns cookies that are not

    strictly necessary. Indeed, the user must be able to accept or refuse, to

    each application and each website, the deposit of non-functional cookies without

    coercion, pressure or outside influence. This requirement implies, inter alia, that, Decision on the merits 11/2022 - 32/32



       the user cannot be refused certain services or advantages on the grounds that he would not have


       not consented to the use of non-functional cookies. The user who refuses a cookie

       requiring consent must be able to continue to benefit from the service, such as access to

       a website.


   133. In the present case, insofar as the cookie in question is strictly necessary,

       the complainant's grievance cannot be upheld. There is therefore no breach of Article 6.1.a)

       of the GDPR, linked to the practice of “cookie walls”.


   134. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation and in accordance with Article 100.1, 16° of the LCA, this decision is

       published on the website of the Data Protection Authority by deleting the

       identification data of the parties, since these are neither necessary nor relevant

       in the context of the publication of this decision.
























FOR THESE REASONS,

THE LITIGATION CHAMBER

Decides, after deliberation:

- On the basis of Article 100, § 1, 9° of the LCA, an order for compliance of the register of

    treatment of the defendant, as indicated above

- On the basis of article 100, § 1, 5° of the LCA, a reprimand

Pursuant to Article 108, § 1 of the LCA, this decision may be appealed to the


Court of Markets (Brussels Court of Appeal) within 30 days of its

notification, with the Data Protection Authority as defendant.







(se). Hielke Hijmans

President of the Litigation Chamber