APD/GBA (Belgium) - 11/2022: Difference between revisions
From GDPRhub
(→Facts) |
|||
| Line 65: | Line 65: | ||
=== Facts === | === Facts === | ||
The respondent owns a website 'YourOnlineChoices', through which data subjects can control their ad experience online. When browsing the web and visiting different websites, they can control which non-essential (e.g. for advertising purposes) cookies they accept or refuse. If they choose to turn off interest-based advertising, they still see advertisements on the internet, but these are not adapted to their suspected interests or preferences. | The respondent owns a website 'YourOnlineChoices', through which data subjects can control their ad experience online. When browsing the web and visiting different websites, they can control which non-essential (e.g. for advertising purposes) cookies they accept or refuse. If they choose to turn off interest-based advertising, they still see advertisements on the internet, but these are not adapted to their suspected interests or preferences. | ||
The Belgian DPA received a complaint via the Internal Market Information (IMI) system from the Berlin DPA regarding the illegitimate use of cookies on a website. More specifically, the complainant stated that (i) the tool for selecting advertising preferences did not work (cookie opt-out option for third parties does not work) and that consent was therefore not freely given; (ii) the website forced users to accept cookies in order to be able to select their advertising preferences. | The Belgian DPA received a complaint via the Internal Market Information (IMI) system from the Berlin DPA regarding the illegitimate use of cookies on a website. More specifically, the complainant stated that (i) the tool for selecting advertising preferences did not work (cookie opt-out option for third parties does not work) and that consent was therefore not freely given; (ii) the website forced users to accept cookies in order to be able to select their advertising preferences. | ||
<u> | <u>On cross-border processing - competence of the Belgian DPA</u> | ||
According to [[Article 56 GDPR]] "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA was found to be competent because the defendant had its sole place of business in Belgium, although its activities were deemed to substantially affect or be likely to affect data subjects in several Member States, including Germany. | According to [[Article 56 GDPR]] "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA was found to be competent because the defendant had its sole place of business in Belgium, although its activities were deemed to substantially affect or be likely to affect data subjects in several Member States, including Germany. | ||
Revision as of 14:50, 3 February 2022
| APD/GBA (Belgium) - 11/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 5.3 ePrivacy Directive |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 21.01.2022 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 11/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-11-2022.pdf (in EN) |
| Initial Contributor: | Matthias Smet |
The Belgian DPA issued a reprimand against a website owner for violating Article 12 and Article 13 GDPR and ordered them to comply with their processing register.
English Summary
Facts
The respondent owns a website 'YourOnlineChoices', through which data subjects can control their ad experience online. When browsing the web and visiting different websites, they can control which non-essential (e.g. for advertising purposes) cookies they accept or refuse. If they choose to turn off interest-based advertising, they still see advertisements on the internet, but these are not adapted to their suspected interests or preferences.
The Belgian DPA received a complaint via the Internal Market Information (IMI) system from the Berlin DPA regarding the illegitimate use of cookies on a website. More specifically, the complainant stated that (i) the tool for selecting advertising preferences did not work (cookie opt-out option for third parties does not work) and that consent was therefore not freely given; (ii) the website forced users to accept cookies in order to be able to select their advertising preferences.
On cross-border processing - competence of the Belgian DPA
According to Article 56 GDPR "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA was found to be competent because the defendant had its sole place of business in Belgium, although its activities were deemed to substantially affect or be likely to affect data subjects in several Member States, including Germany.
Holding
Obligation to set cookies in order to select advertising preferences on the website & "Cookie wall" practice (violation of Article 7 GDPR) - Complaint not upheld
The complainant argued that their consent was not freely given because they could not have used the website without giving it. In its recent guidelines, the EDPB indeed condemned the practice of making the provision of a service or access to a website conditional on accepting the placement of non-necessary cookies on the user's device.
However, in this case the cookie in question was strictly necessary for the functioning of the website. The respondent indeed showed that the fact that the cookie needed to be placed in order to use certain parts of the website (namely the homepage / terms and conditions / Protecting your privacy-page) and thus the legal basis in order to process this personal data and place this cookie was not consent, but legitimate interest of the data controller (Article 6(1)(f) GDPR)
Use of cookies without prior information given to the user (violation of the transparency principle - Article 5 GDPR) - Complaint upheld
The DPA restated that the purpose of the transparency principle is that the data subject should be able to determine what the scope and consequences of the processing encompass before it occurs. Thus, controllers are required to at least provide information on (i) the duration of the operation of cookies and (ii) whether the cookie is a first or third party one.
When viewing the website, the DPA's investigation showed that even before any information could be delivered to the user, a cookie was loaded in the browser because it was otherwise technically impossible to display the necessary information in the user's language. The DPA held that due to the absence of language selection by the user, it would have been appropriate to display the information regarding the use of cookies in English, a widespread language commonly used by other websites.
Thus, the Belgian DPA issued a reprimand to the operator of 'YourOnlineChoices.com' for violating Article 12 GDPR and Article 13 GDPR and ordered them to comply with their processing register - specifically to mention the third party countries personal data was sent to.
On top of that, the Belgian DPA also shares some interesting insights regarding the processing of cookies:
- definition of 'trackers';
- different types of cookies;
- valid consent under GDPR and ePrivacy Directive - transparency obligations
Comment
This decision of the Belgian DPA differs from others because it provided a significant amount of background and additional information regarding 'best practices' when using cookies.
Side note for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data'. How does this reconcile with the definition of 'personal data' in Article 4(1) GDPR that clearly refers to 'identified or identifiable natural persons'?
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/32
Litigation Chamber
Decision on the merits 11/2022 of 21 January 2022
File number: DOS-2018-05968
Subject: Cross-border cookie complaint
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members,
resuming the affair in this composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data
and the free movement of such data, and repealing Directive 95/46/EC (general regulation on
data protection), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
made the following decision regarding:
the complainant: Mr. X
the defendant: Y. represented by his counsel, Maître Rue, Chaussée de La Hulpe, 177/12,
1170 Brussels., Decision on the merits 11/2022 - 2/32
I- Procedural Feedback
1. Having regard to the complaint received via the IMI system by the Berlin data protection authority
(Berliner Beauftragte für Datenschutz und Informationsfreiheit) on August 24, 2018 to the Authority of
data protection (DPA);
2. Considering the decision of November 23, 2018 of the President of the Litigation Chamber to transfer the
file to the inspection service for investigation;
3. Having regard to the investigation report of the Inspection Service (“IS” below) of October 19, 2019;
4. Having regard to the exchanges between the Berlin data protection authority (Berliner Beauftragte
für Datenschutz und Informationsfreiheit) and DPA, in the context of Article 60 GDPR;
5. Considering the decision of April 29, 2020 of the President of the Litigation Chamber considering that the file
was ready for substantive processing under Articles 95 § 1, 1° and 98 LCA, the
Chairman invited the parties to conclude by letter on the same date;
6. Considering the conclusions of the defendant, received on June 9, 2020;
7. Given the absence of submissions in response from the complainant;
8. Having regard to the Respondent's summary submissions, received on July 21, 2020;
9. Having regard to the translation of the procedural documents (inspection report and conclusions of the
defendant) into the plaintiff's language (German);
10. Having regard to the hearing of April 30, 2021 in the presence of the defendant represented by his counsel Me
Rue, in the absence of the plaintiff, although he was summoned;
11. Considering the sending to the parties of the minutes of the hearing and the comments of the parties;
II- The facts of the complaint
12. The complainant raises in his complaint that the tool for selecting the preferences
advertising does not work, in that the opt-out cookie for many
third parties does not work (although he clicks the decline option, the accept option
automatically resets). He raises as well as his consent to these cookies
is forced and therefore not free within the meaning of Article 4.11 and 7 of the GDPR.
13. He further argues that the website requires the user to accept cookies in order to
be able to select their advertising preferences., Decision on the merits 11/2022 - 3/32
14. The cookie in question allows the defendant to be informed that the browser
of the user accepts or not the cookies of third parties. The Litigation Chamber
therefore understands that the complainant opposes the placing of the cookie, as well as the
subsequent processing of his personal data by the defendant.
15. The Litigation Chamber will examine the facts reported by the plaintiff, within the framework of
the mission of monitoring compliance with the GDPR entrusted to the DPA (of which it is the
administrative litigation) by the European legislator (article 58 of the GDPR) and by the
Belgian legislator (article 4 LCA), both in the light of the articles of the GDPR referred to in the form
of complaint that he introduced on August 24, 2018, that in the light of the articles of the GDPR such
examined in the report of the inspection service.
16. The shortcomings noted in the IS report will be examined first.
time. The grievances raised by the complainant in his complaint will be examined secondarily.
III- Findings of the Inspection Service
17. Following its investigation, the IS produced an investigation report, in which it notes
breaches combined with articles 5 and 6, 12 and 13, 24 and 30, 24 and 32, as well as 37 of the
GDPR.
Statement concerning the principles relating to the processing of personal data
(Article 5 of the GDPR) and concerning the lawfulness of the processing (Article 6 of the GDPR):
“The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which
on pages 9/14 and 10/14 are cited below, demonstrates the existence of the following practices
which are incompatible with the principle of lawfulness, loyalty, transparency of Article 5 of the GDPR
and with the obligation of lawfulness of the processing of article 6 of the GDPR: “When connecting to the site
[…] on the home page (screenshot 8) a cookie is already loaded in the browser
when no information has been delivered to the user. The cookie named “third_party_c_t
» with value « hey+there %21 » coming from the domain (…) is a cookie which makes it possible to
inform Y whether or not your browser accepts cookies from third parties”,
and ; "By choosing the country in which you are located, we arrive on the screen in capture
Screen 9 indicating that non-identifiable information is being collected. The fact that the
information is not personally identifiable.
There is nothing "transparent" about this box and does not allow the user to get an idea of
what is collected and why it is collected. »
Observation concerning the transparency of information and communications and methods of
the exercise of the rights of the data subject (Article 12 of the GDPR) and information to, Decision on the substance 11/2022 - 4/32
provide when personal data is collected from the person
data subject (Article 13 of the GDPR):
As for the transparency of information, the IS notes:
“The “privacy policy of […]” the text of which can be found on pages 19 to 24
and explanations on pages 9 and 10 of the document […] which was communicated to the service
inspection by Y via his email of 07/17/2019 (Exhibit 14) does not comply with Article
12(1) or Article 13 GDPR, which are relevant here, for the following reasons:
The information provided is not always transparent and understandable for
data subjects as required by Article 12, paragraph 1 of the GDPR. First the
language used is not coherent and logical given that the notions of “personal information” and
"personal data" are used while the GDPR systematically speaks of "
personal data.
Then the use of cookies is mentioned accompanied by two warnings which indicate
that "disabling cookies for this purpose prevents the control tool from working
effectively and could have undesirable consequences on your experience of
global navigation" and also that "deleting or rejecting cookies could have
undesirable consequences for your experience of our website”. Those
warnings are not comprehensible for the persons concerned and prevent
a free consent on their part for the use of cookies since they do not explain what “
undesirable consequences” means concretely.
Finally, the reference to "additional information" on the sites of Google, Firefox,
Windows and Safari is not comprehensible for those concerned since there is no
explanation on this mentioned for the persons concerned”.
As for the fact that the information would be incomplete, the IS notes:
“The information provided is incomplete because all the information that should
be provided in accordance with Article 13 of the GDPR are not actually provided to
persons concerned. First, the existence of the right to withdraw consent at any time.
moment, without affecting the lawfulness of the processing based on the consent made
before the withdrawal thereof is not mentioned with regard to the processing of data
of a personal nature by Y; this right is only mentioned for the management of cookies
on the website accompanied by the aforementioned disclaimer which states that "the act of deleting or, Decision as to the merits 11/2022 - 5/32
rejecting cookies could have undesirable consequences for your experience of
our website".
Statement concerning the register of processing activities (Article 30 of the GDPR)
“The register of processing activities which can be found in the document “[FR] Annex 1_(..)
Register of GDPR checks” which was communicated to the inspection service by Y via its
email of 07/17/2019 (Exhibit 14) does not mention the identification of third countries
to whom the personal data is transmitted for several activities of
processing. For these processing activities, the texts “Refer to (…)”, “Refer
to (…)”, “Refer to (…)” and “Refer to (…)” are mentioned in the column “Names
third countries or international organizations to which the personal data
are transferred (if possible)”.
Statement concerning the responsibility of the data controller (article 24 of the GDPR) and
regarding the security of processing (Article 32 of the GDPR)
“The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which
on pages 8/14 and 9/14 are quoted below, demonstrates the existence of the following practices
which are incompatible with the controller's liability in Article 24
of the GDPR and with the obligation of security of the processing in article 32, paragraph 1 of the
GDPR:
On screenshot 1 we see that the link to join the server is […]. This link is a
link http and not https. This means that the communication protocol between the client station and
the server in question is a protocol that carries data in the clear, i.e. not
encapsulated in a tunnel as would the TLS protocol for an https link. Which means
that the personal data provided by the user on this site does not have the guarantee
set out in the information “Protection of your privacy” disseminated at the following link […] of which
screenshot 7 shows the excerpt.
In its guidelines on the protection of personal data through
web services provided by the European institutions the EDPS recommends the use of
secure protocols in the transmission of personal data within the framework
web services.
The use of an http link instead of an https link and the consequences for the security of the
treatment as mentioned above, is also inconsistent with the stated guarantee, Decision on the merits 11/2022 - 6/32
in the “privacy policy of […] the text of which can be found on pages 19 to
24 and explanations on pages 9 and 10 of the document “[FR] Letter of response – (…)-” which
was communicated to the inspection service by Y via his email of 07/17/2019 (Exhibit 14). the
Inspection service refers in this respect to the following sentences mentioned in the
aforementioned text of the Y:
“We are committed to respecting and protecting the privacy of all individuals
with which we act, have acted or will act.
seek to give you clear information and control over information
personal data we hold about you, as well as other non-personal data
information that we may collect and use during your visit to this site
Internet. ““No other personal information will be shared with any other third parties.
".
Findings concerning the responsibility of the data controller (article 24 of the GDPR) and
concerning the appointment of the data protection officer (Article 37 of the GDPR)
“In the document “[FR] Letter of response – Ref (…)” which was communicated to the service
of inspection by Y via his email of 07/17/2019 (Exhibit No. 14) appears on pages 10 to 11 and
pages 25 to 31 a motivation for the decision not to appoint a protection officer
data within the organization; according to “The summary of the conclusion is that (…) is not
not required to appoint a dedicated data protection officer”.
The aforementioned “decision” and its reasoning do not comply with Article 24, paragraph 1 of the
GDPR or Article 37(1) GDPR for the following reasons: There is no
time of official decision taken by Y concerning the appointment or not of a delegate to the
data protection despite the obligation imposed by article 24, paragraph 1 to put
implement “appropriate technical and organizational measures to ensure and be
able to demonstrate that the processing is carried out in accordance with this Regulation
» . The document “Re DOS (…)-questions in the context of an inspection investigation_FR” which
was communicated to the inspection service by Y via his email of 09/09/2019 (Exhibit 17)
mentions on pages 10 to 11 that the aforementioned decision “will be placed on the agenda of our
next Board of Directors in November 2019, in order to ensure that the decision taken
has been officially documented.
The elements of the technical analysis report of 07/03/2019 (Exhibit 12) cited above
in this report demonstrate that a cookie “allows Y to be informed of the fact that
your browser accepts or not third-party cookies” which requires the
appointment of a data protection officer on the basis of Article 37, paragraph 1, b), Decision on the substance 11/2022 - 7/32
of the GDPR. This cookie is clearly linked to the operation of the website […] given the
explanations of Y concerning this website on pages 3 to 9 of the document “[FR] Letter of
response – Ref (…)” which was communicated to the inspection service by Y via his email of
07/17/2019 (Exhibit 14) and allows regular and systematic monitoring on a large scale of
persons concerned. »
18. As a reminder, the IS is an independent body of the Litigation Chamber (“CC” below).
The investigation report produced is only one of the elements on which the CC relies for
make their decision.
IV- Motivation
IV.1- On the competence of the DPA
IV.1.1- On the competence of the DPA within the framework of the IMI system
19. Article 56. GDPR states that “Without prejudice to Article 55, the data protection authority
the main establishment or the sole establishment of the controller or the
processor is competent to act as lead supervisory authority
concerning the cross-border processing carried out by this controller or this
subcontractor, in accordance with the procedure provided for in Article 60.
20. Article 4.23 GDPR clarifies the notion of cross-border processing by
following terms:
“(a) processing of personal data which takes place in the Union in the context of
activities of establishments in several Member States of a controller or
of a processor when the controller or the processor is established in
several Member States; Where
(b) processing of personal data which takes place in the Union in the context of
activities of a single establishment of a controller or processor,
but which materially affects or is likely to materially affect persons
concerned in several Member States; »
21. The defendant has its sole establishment in Belgium, but its activities (and more
particularly its website (…), being consultable from any EU member state)
significantly affect or are likely to significantly affect people
concerned in several Member States, including the complainant in Germany. The Chamber, Decision on the Merits 11/2022 - 8/32
Litigation bases its jurisdiction on the basis of a combined reading of Articles 56 and
4.23.b) GDPR. The DPA is entered by the data protection authority in Berlin, following
a complaint by the complainant to an authority in the Member State in which
finds his habitual residence, in accordance with Article 77.1 of the GDPR, and declares himself
lead supervisory authority (Article 60 of the GDPR).
IV.1.2- On the competence of the DPA
22. In the section below, the Litigation Chamber recalls that the jurisdiction of the DPA
regarding the e-privacy Directive is developed in previous decisions of the
Chamber, in particular in decisions 12/2019 of 17 December 2019, 24/2021 of 19
February 2021, as well as 19/2021 of February 12, 2021. This section includes a
summary of the House's position.
23. Pursuant to Article 4 § 1 LCA, the DPA is responsible for monitoring compliance with the
fundamental principles of data protection, as affirmed by the GDPR and
other laws containing provisions relating to the protection of the processing of
personal data.
24. Pursuant to Article 33 § 1 LCA, the Litigation Chamber is the body of
ODA administrative litigation. It is, among other things, seized of the complaints that are brought to it
transmitted via the IMI system, on the basis of Article 56 of the GDPR.
25. Pursuant to articles 51 and s. of the GDPR and Article 4.1 LCA, it is up to the Chamber
Litigation as an administrative litigation body of the DPA, to exercise a
effective control of the application of the GDPR and to protect the freedoms and rights
fundamental rights of natural persons with regard to processing and to facilitate the free flow
personal data within the Union.
26. As the defendant acknowledges, the website collects personal data
personal through 3 types of cookies, namely audience cookies; cookies "box of
dialog” and session cookies, and therefore processes this personal data.
27. The Litigation Chamber is competent to rule in cases concerning the
processing of personal data, pursuant to Article 4, § 1 of the LCA, of
Article 55 of the GDPR and in compliance with Article 8 of the Charter of Fundamental Rights
of the European Union.
28. Furthermore, under Belgian law, the Belgian Institute for Postal Services and
Telecommunications (BIPT) is the controller for the Communications Act
Electronic (ECL hereinafter), including for section 129 of the ECL which implements section 5.3, Decision on the merits 11/2022 - 9/32
1
of Directive 2002/58 (hereinafter, the "e-privacy Directive"), in accordance with Article 14, §
1 of the law of 17/01/2003 relating to the status of the regulator of the postal and
Belgian telecommunications.
2
29. In its Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR, the
European Data Protection Board (hereafter: "EDPB") has confirmed that the
data protection authorities are competent to apply the GDPR to
data processing, also in the context where other authorities would be
competent, under the national transposition of the e-privacy Directive, for
monitor certain elements of personal data processing.
30. It also emerges from this opinion that the e-privacy Directive aims to “specify and supplement”
the provisions of the GDPR with regard to the processing of personal data
personnel in the electronic communications sector, and in doing so to guarantee the
compliance with Articles 7 and 8 of the Charter of Fundamental Rights of the EU.
31. The Litigation Chamber notes, in this regard, that Article 8.3 of the Charter provides that the
processing of personal data is subject to the control of an authority
independent, responsible for data protection.
32. In addition, the predecessor of the EDPB (the article 29 working group on the protection
Data Protection, hereinafter: Data Protection Working Group) has also
clarified that GDPR requirements for obtaining valid consent
apply to situations that fall within the scope of the E-privacy Directive. 3
33. In the Planet judgment49, the Court of Justice of the European Union confirmed in particular that
the collection of data through cookies could be qualified as processing of
personal data. Therefore, the Court interpreted Article 5.3 of the Directive
Privacy and electronic communications using the GDPR, specifically on the
basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article
13 GDPR (information to be provided).
1Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data
personal character and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications, as amended by Directive 2009/136/EC of the European Parliament and of the Council of
November 25, 2009, hereinafter the “ePrivacy Directive”).
2 EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, § 69
3Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679,
WP259, p. 4.
4Judgment of the Court of 1 October 2019, Planet49, C-673/17, ECLI:EU:C:2019:801, paragraph 45.
5As well as with the help of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, Decision on the substance 11/2022 - 10/32
34. As indicated above, BIPT's competence to supervise certain elements of the
processing – such as the placement of cookies on the terminal equipment of
the Internet user – does not prejudice the general competence of the DPA. As precised
by the EDPB, the data protection authorities remain competent for matters
processing (or elements of processing) for which the e-privacy Directive does not provide
no specific rules. There is indeed a complementarity of competences between BIPT
and ODA in the specific case, insofar as on the basis of Article 4 of the LCA, ODA is
responsible for monitoring compliance with the fundamental principles of the protection of
data (as affirmed by the GDPR and in other laws containing provisions
relating to the protection of personal data), and that the consent
constitutes a fundamental principle in this field.
35. The complaint also relates to the processing occurring following the placement of the cookie
litigation.
7
36. Furthermore, Opinion 5/2019 on the interaction between the e-privacy Directive and the GDPR
aforementioned of the EDPB also indicates that national procedural law determines what
must happen when a data subject lodges a complaint with the authority of
data protection relating to the processing of personal data (such as by
example the collection of data by means of cookies), without also complaining about
(potential) breaches of the GDPR. This corresponds well to the present case.
37. In this regard, the Court of First Instance of Brussels has clearly indicated that the
legal predecessor of the DPA was competent to submit a requisition to a
court "to the extent that it relates to alleged violations of the privacy law of the
8 December 1992, to which article 129 of the LCE, which clarifies and completes it, refers
8
moreover expressly ". As indicated below, article 129 LCE is the implementation in
Belgian law of article 5.3 of the privacy directive.
38. The DPA is thus competent to verify whether the requirement of the fundamental principle that
constitutes consent around the disputed cookie whether or not it complies with the conditions
GDPR consent.
6EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, § 69.
7
EDPB, Opinion 5/2019 on the interactions between the "privacy and electronic communications" directive and the GDPR, in
in particular with regard to the competence, tasks and powers of data protection authorities, 12/03/2019,
§70
8
Brussels Court, 24th Civil Affairs Chamber, 16 February 2018, case file no. 2016/153/A, point 26, p. 51, available at
: https://www.autoriteprotectiondonnees.be/news/lautorite-de-protection-des-donnees-defend-son-argumentation-devant-
the court-of-appeal-of-brussels., Decision on the merits 11/2022 - 11/32
39. The DPA is also competent to verify compliance with all the other conditions
made mandatory by the GDPR – such as transparency of processing (Article 12 of the
GDPR) or the information to be communicated (article 13 of the GDPR).
40. As confirmed by the Court of Justice in the Facebook and Others judgment, only the recording and
the reading of personal data by means of cookies falls within the scope
application of Directive 2002/58/EC, while “all previous operations and
subsequent processing activities of such personal data by means of
other technologies do fall within the scope of [GDPR]. 9
IV.2- As regards breaches of the principles of transparency (Article 5.1.a and 12 and 13
of the GDPR) and lawfulness (Article 6 of the GDPR)
IV.2.1.1-Reminder of the basic legal principles concerning the use of tracking tools and
Cookies
41. Before examining the corresponding shortcomings identified by the IS report, the
Litigation Chamber considers it useful, for educational purposes, to conduct a short
introduction to cookies and to recall the basic legal principles concerning
internet user tracking tools, including cookies.
42. The term tracers includes cookies and HTTP variables, which may in particular
pass through invisible pixels or "web beacons", "flash" cookies, access to
terminal information from APIs (LocalStorage, IndexedDB, identifiers
advertising such as IDFA or android ID, GPS access, etc.), or any other identifier
generated by software or an operating system (serial number, MAC address,
unique terminal identifier (IDFV), or any set of data used to calculate
a unique fingerprint of the terminal (for example via fingerprinting).
43. These cookies and other tracers can be distinguished according to different criteria, such as
the purpose they pursue, the field that places them or their lifespan. The
cookies can thus be used for many different purposes (among others,
to support communication on the network -“connection cookie”-, to measure
the audience of a website - “audience measurement cookies, analytical cookies or cookies
statistics”-), for marketing and/or behavioral advertising purposes, for
authentication…).
44. Cookies can also be distinguished according to the domain that places them, they are thus “of
first party" or "third party". “First party” cookies are placed directly
9
Judgment of the Court of 15 June 2021, C-645/19, ECLI:EU:C:2021:483, paragraph 74., Decision on the merits 11/2022 - 12/32
by the owner of the website visited, unlike "third-party cookies", set up by a
domain different from the one visited (for example when the site incorporates elements
other sites like images, social media plug ins -the "Like" button of
Facebook for example- or advertisements). When these elements are extracted by the
browser or other software from other sites, these may also
place cookies that can then be read by the sites that have placed them. Those "
third-party cookies" allow these third parties to monitor the behavior of Internet users in the
time and across many sites and to create, from this data, profiles of
internet users.
45. Cookies can also be distinguished according to their period of validity, between cookies "of
session” and “persistent” ones. “Session cookies” are automatically deleted
when closing the browser while “persistent cookies” remain stored
on the device used until their expiration date (which can be expressed in minutes,
days or years).
46. From a legal point of view, a distinction should be made between tracers that must be subject to
consent by the user, of those who should not be subject to it.
47. Trackers that do not require consent are those strictly
necessary for the provision of an online communication service expressly
requested by the user, or the tracers which aim to allow the transmission of the
communication by electronic means. These trackers do not require consent
users. The processing of personal data in these
tracers is generally based on the legitimate interest of the data controller
(Article 6.1.f) of the GDPR).
48. This does not, however, prevent, in compliance with the principle of transparency, informing
Internet users of their use and remind them that browser settings can
allow them to block them and in this case to mention the effects potentially
negative for the operation of the site. Processing of personal data
associates obviously remain subject to the principles of the GDPR.
49. Cookies that do not require consent include those
retaining the choice expressed by users on the deposit of tracers, those intended for
authentication with a service, those allowing the content of a
shopping cart, or even those personalizing the user interface (for example, for the
choice of language or presentation of a service), when such personalization
constitutes an intrinsic and expected element of the service., Decision on the merits 11/2022 - 13/32
50. Other trackers and cookies are subject to prior consent. the
processing on the basis of legitimate interest is also prohibited for these cookies. All
cookies not having the exclusive purpose of allowing or facilitating communication
by electronic means or not being strictly necessary for the supply of a service of
online communication at the express request of the user therefore require a
prior consent. These can for example be linked to the display of advertising
personalized or non-personalized (when tracers are used to measure
the audience of the advertising displayed in the latter case) or to functionalities of
sharing on social networks. In the absence of consent (assuming therefore
of a user's refusal), these tracers cannot be deposited and/or read on his
10
terminal.
IV.2.1- As to the breach concerning the use of a cookie without prior information
of the user
51. In essence, the IS notes two shortcomings in this respect:
- Article 12.1 of the GDPR provides that the controller must take measures
appropriate to provide the person concerned with any information referred in particular to
Article 13 of the GDPR in a concise, transparent, understandable and easily accessible way
accessible, in clear and simple terms. Article 12.2 of the GDPR provides that the controller
processing must facilitate the rights of the data subject.
- Article 13.1 and 2 indicates, concerning the information to be provided when data to be
personal character are collected from the data subject:
“1. Where personal data relating to a data subject is
collected from this person, the data controller provides him, at the time when the
data in question are obtained, all of the following information:
a) the identity and contact details of the controller and, where applicable, of the representative
of the controller
(b) where applicable, the contact details of the data protection officer;
c) the purposes of the processing for which the personal data are intended as well as the
legal basis for processing;
d) where the processing is based on Article 6(1)(f), the legitimate interests
sued by the controller or a third party;
10See Recommendation No. 01/2020 of the Knowledge Center of January 17, 2020 relating to the processing of personal data
personal character for direct marketing purposes concerning many practical aspects and examples on a use
GDPR-compliant cookies, in particular regarding consent and transparency (p78 +s). See also the file
CNIL practice "Cookies and tracers: how to bring my website into compliance?" », October 01, 2020,
https://www.cnil.fr/fr/cookies-et-traceurs-comment-mise-mon-site-web-en-conformite, Decision on the merits 11/2022 - 14/32
e) the recipients or categories of recipients of the personal data, if they
exist; and
(f) where applicable, the fact that the controller intends to transfer data
personal data to a third country or to an international organisation, and
the existence or absence of an adequacy decision issued by the Commission or, in the case
transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the
reference to the appropriate or adapted safeguards and the means of obtaining a copy or
where they were made available;
2. In addition to the information referred to in paragraph 1, the controller shall provide the
data subject, at the time the personal data is obtained, the
following additional information that is necessary to ensure processing
fair and transparent:
a) the retention period of the personal data or, where this is not possible,
the criteria used to determine this duration;
b) the existence of the right to ask the controller for access to personal data
personal information, rectification or erasure thereof, or limitation of processing relating to
the data subject, or the right to oppose the processing and the right to the portability of the
data;
c) where the processing is based on point (a) of Article 6(1) or on Article 9,
paragraph 2(a), the existence of the right to withdraw consent at any time, without
undermine the lawfulness of processing based on consent made before the withdrawal of
this one;
d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide personal data
personnel is of a regulatory or contractual nature or if it conditions the conclusion of a
contractandthepersonconcernedisrequiredtoprovidethepersonaldata,thus
only on the possible consequences of the non-provision of these data;
f) the existence of automated decision-making, including profiling, referred to in Article 22,
paragraphs 1 and 4, and, at least in such cases, useful information concerning the logic
underlying data, as well as the significance and anticipated consequences of such processing for the
concerned person.
52. The Litigation Chamber recalls that the objective of the principle of transparency
light to Articles 12, 13 and 14 of the GDPR is that the data subject should be,
according to the principle of loyalty of article 5.1. a), able to determine in advance what
the scope and the consequences of the treatment include in order not to be caught without
at a later stage as to how his personal data has been
used. The information should be concrete and reliable, it should not be
formulated in abstract or ambiguous terms nor leave room for different
interpretations. More specifically, the purposes and legal bases of the processing
personal data should be clear., Decision on the merits 11/2022 - 15/32
11
53. In the Planet49 judgment, the Court of Justice of the European Union held that for the
placement of cookies, the controller had to provide information on the
duration of operation of cookies as well as on the possibility or not for third parties
to have access to these cookies, in order to guarantee fair and transparent information
(Article 5.3 of the Privacy and Electronic Communications Directive concerning the
placement of cookies is thus read together with the principle of fairness (article 5.1. a) and the
information obligations of Article 13.2 (a) and (e) of the GDPR).
54. Under Articles 5.2 and 24 of the GDPR, the controller must take steps
appropriate technical and organizational measures to guarantee and be able to
prove that the processing of personal data using cookies is carried out
in accordance with Articles 12 and 13 of the GDPR.
55. In the present case, the IS notes, firstly, that when connecting to the site of the
defendant (home page), a cookie was already loaded in the browser so
that no information had been delivered to the user. Personal data has
therefore been processed before the information required by Article 13 GDPR is
communicated. The cookie was named "third_party_c_t", and allowed to fill in the
defendant on whether or not the user's browser accepted cookies from
third parties (preference cookies from participating companies).
56. The defendant acknowledges in its submissions the absence of prior information from
the user regarding the placement of the cookie, at least in the version of the site at
time of the investigation carried out by the inspection service. She first emphasizes
time that the cookie in question was deleted in April 2020 following a change in the
website. She adds that it was a first party cookie and qualified as essential
(strictly necessary therefore, which the IS report does not dispute). In addition, this cookie
did not constitute a risk for the rights and freedoms of the persons concerned because it
did not resemble an identifier.
57. With regard to the period between the entry into force of the GDPR, on 25 May 2018, and the
deletion of said cookies in April 2020, the defendant indicates that for reasons
techniques the cookie was placed before the information banner on the use of
cookies by the site does not appear. She also explains that it was impossible to make appear
information about the cookie in the language of the user since it is on this
page that the user had to select his language/country.
58. It also specifies that insofar as it was an essential cookie, the consent
of the user was not required. This is not disputed in the IS report.
1Judgment of the Court of 1 October 2019, C-673/17, ECLI:EU:C:2019:801., Decision on the merits 11/2022 - 16/32
59. The Litigation Division takes note of the modification of the defendant's website,
which, as the latter indicates in its conclusions, reinforces its compliance with the
GDPR. It also takes note of the deletion in April 2020 of the cookie in question. It does not
remains that between the entry into force of the GDPR (May 25, 2018) and the
deletion of said cookie in April 2020, the defendant collected and processed data
personal information without first providing information to the user.
60. The arguments put forward by the defendant cannot be followed, the first according to which
the cookie was loaded before the information banner appeared for “reasons
techniques”, and the second, according to which the information could not be communicated to
the user before loading the cookie since it is precisely on the page visited
that he had to choose his language/country. Regarding the language argument not yet
selected by the user, it was appropriate, therefore, to display the warning of
the use of the cookie in English, a language widespread and commonly used by others
websites before selecting the user's language. 12
61. The argument underlined by the plaintiff according to which the impact in terms of
terms of risks to the rights and freedoms of users was low: indeed,
the obligation of prior information applies to all types of cookies, whether their impact
on the right to data protection of data subjects is weak or not.
62. The Litigation Chamber finds a breach of Articles 12 and 13 of the GDPR, between
the entry into force of the GDPR (i.e. May 25, 2018) and the withdrawal of the “third_party_c_t” cookie
in April 2020.
IV.2.2- As for the transparency of the box indicating that “information not
identifiable” are collected
63. The second shortcoming noted by the SI report concerns the screen which appeared (at
time of the survey, therefore before the modification of the website), when the user
chose his language and his country. This screen indicated: “This website collects and uses
non-identifiable information to analyze the activity of the site in order to improve its navigation.
You can control how this information is collected and used” and
was accompanied by a hyperlink to the “Protecting Your Privacy” page.
64. The SI report emphasizes that although this information is not identifiable, it
remain personal data. According to the SI, this box is not "transparent
12The Litigation Chamber also refers to the extensive practical information on cookies available on
the APD website at the url https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/coovoir. Also
Recommendation n° 01/2020 of January 17, 2020 relating to the processing of personal data for the purposes of
direct marketing concerning many practical aspects and examples of the use of cookies in accordance with the GDPR,
in particular regarding transparency (p78 +s), Decision on the merits 11/2022 - 17/32
and does not allow the user to get an idea of what is collected and for what
reason this collection is made.
65. The defendant responds in this regard that a dialog box replaces, since the
modification of the website, the screen (or box) in question. It also disputes that for the
period prior to the amendment the box was not transparent, in that it was sufficient to
the user to click on the hyperlink to obtain information relating to the
“non-identifiable information” collected. This screen also remained displayed for
the user's entire visit, unless they close it. She adds that this information
were available on other pages of the site as well as in the policy document of
the privacy of the site. It also recalls that insofar as these cookies were not
not subject to prior consent (since they were strictly necessary), the
GDPR does not require the controller to provide all the information
useful in a single advance information box, which, according to her, would not be
not feasible in practice.
66. The Litigation Chamber recalls the requirement of recital 58 of the GDPR according to which "
The principle of transparency requires that any information sent to the public or to the
person concerned is concise, easily accessible and easy to understand and formulated
in clear and simple terms and, in addition, where appropriate, illustrated with elements
visuals. ".
67. It also recalls the requirement of Article 12.1 of the GDPR, which stipulates that “The person responsible for the
processing takes appropriate measures to provide any information referred to in
Articles 13 and 14 as well as to carry out any communication under Articles 15 to
22 and Article 34 with regard to the treatment to the data subject in a way
concise, transparent, understandable and easily accessible, in clear and
simple, in particular for information intended specifically for a child. " (we
emphasize)
68. In other words, this means that before consent is sought from
the user, the principle of transparency imposes that precise information must be
be communicated on the data controller, the purposes pursued by the
cookies and other tracers that will be deposited and/or read, the data they collect and
their lifespan. The information must also relate to the rights that the GDPR recognizes
to the user (or data subject), including the right to withdraw consent.
69. As indicated above, the information must be visible, complete and highlighted.
It must be written in simple and understandable terms for any user. That
implies, in particular, that the information be written in a language that is easily
understandable for the "target audience" to which it is addressed. For example, if the website, Decision on the merits 11/2022 - 18/32
is intended for a French-speaking and/or Dutch-speaking public, the information must be written
in French and/or Dutch. 13
70. The Litigation Chamber considers that the defendant failed, before the modification of the
site, to the obligation of transparency insofar as the box did not propose, at all
least, a direct link to the required information about the cookies used under
Article 13 of the GDPR, instead of a general reference to the privacy policy of the
defendant.
14
71. In this regard, the Chamber endorses the recent guidelines of the CNIL, which
also point out that "A simple reference to the general conditions of use does not
could suffice.
At a minimum, the provision of the following information to users, prior to
collection of their consent, is necessary to ensure the informed nature of this
last :
- the identity of the person(s) responsible for processing the read or write operations;
- the purpose of the data reading or writing operations;
-how to accept or refuse tracers;
- the consequences attached to a refusal or acceptance of tracers;
- the existence of the right to withdraw consent.”
72. The Litigation Chamber can only repeat the key role of the principle of transparency in
respect for the data protection rights of data subjects. This principle
contributes to guaranteeing freedom of choice to users by giving them more
control over their personal data, in particular in the context of
large-scale Internet tracing practices in our economy
digital.
73. The Litigation Division notes from the outset and in the alternative that, in addition to the necessary
compliance with the principle of transparency, as developed below, the consent of
the user (for non-functional cookies) must also respond to a certain
number of requirements.
13As indicated below, in the present case, in the absence of being able to identify the target language from the first page of the site, the
controller may use English in order to allow the user to choose his language.
14 Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82
of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to "
cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 23-25, Decision on the merits 11/2022 - 19/32
74. For information purposes, the Litigation Division refers to the APD website, where are available
many practical tips for GDPR-compliant use of cookies.
75. In the present case, the Litigation Division finds that the defendant has rectified
breaches of the principle of transparency mentioned above by modifying its
site. The breach identified in the IS report is therefore no longer relevant.
IV.3- Regarding breaches of Articles 12 and 13 of the GDPR
76. The IS report also indicates that the Privacy Policy document of the
defendant would not comply with Articles 12 and 13 of the GDPR, firstly because the
information provided is not always concise, transparent or understandable, and
second, because they are incomplete.
IV.3.1- As for the fact that the information is not always transparent or
understandable
77. The IS considers that the information contained in the Privacy Policy document
of the defendant are not always transparent or understandable for several
reasons.
78. A- Firstly, the IS points out that the language used would be neither coherent nor logical because the
defendant uses the terms “personal information” and “personal data”
instead of “personal data” as in the GDPR.
79. As indicated above, Article 12 of the GDPR requires that the information, to be provided according to the
articles 13 and 14 of the GDPR, are communicated "in a concise, transparent,
understandable and easily accessible, in clear and simple terms”. The Group of
16
work “Article 29” specifies in its Guidelines on Transparency that “
the requirement that this information be “understandable” means that it should
be understood by the majority of the target audience. Comprehensibility is closely
related to the requirement to use clear and simple terms”.
80. The Litigation Chamber considers that the defendant must be followed when explaining
that the GDPR does not require the use of the term “personal data”, that
the terms "personal information" and "personal data" may be
15 https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/cookies. See also the CNIL website “Questions-
answers on the amending guidelines and the “cookies and other trackers” recommendation available
via https://www.cnil.fr/fr/questions-reponses-lignes-directrices-modificatives-et-recommandation-cookies-traceurs.
16 Article 29 Working Party, “Guidelines on Transparency within the meaning of Regulation (EU) 2016/679”, Revised version
and adopted on 11 April 2018, WP260 rev.01, 17/FR, p.8., Decision on substance 11/2022 - 20/32
understood by the majority of the intended audience (particularly in the context of reading
paragraphs using them), and that they can be considered as synonyms.
81. The Chamber further notes that the Respondent now only uses the
terms “personal data” in its updated version of its Policy document
of privacy.
82. This breach raised by the IS is therefore invalid.
83. B- Secondly, the SI raises that the warning of “consequences
undesirable” in the event of refusal of cookies is not understandable and therefore prevents a
free consent, since it does not explain what these undesirable consequences are.
84. The Article 29 Group expressed itself in these terms:
“A key aspect of the principle of transparency highlighted in these provisions is
that the data subject should be able to determine in advance what the scope
and the consequences of the treatment include in order not to be taken unawares at a stage
as to how his personal data has been used. It is
also an important aspect of the principle of fairness under Article 5(1) of the
GDPR, which is also linked to recital 39 which provides that “[t]he natural persons
should be informed of the risks, rules, safeguards and rights associated with the processing of
personal data”. More particularly, with regard to the processing of
complex, technical or unforeseen data, the position of the G29 is that those responsible
processing should, in addition to providing the information set out in Articles 13 and 14
(discussed later in these guidelines), define separately and in a
clear the main consequences of the treatment: in other words, what will actually be the effect
specific processing described in a privacy statement or notice
private for the data subject. In accordance with the principle of responsibility and
in accordance with recital 39, controllers should assess whether there are
for the natural persons concerned by this type of treatment of the particular risks
which should be brought to the attention of those concerned. Such an assessment could
help provide insight into the types of treatment that are likely to have the most impact
on the fundamental rights and freedoms of data subjects with regard to the protection of
their personal data. (emphasis added)
85. According to the defendant, it is clear that the words “undesirable consequences”,
read in their context, refer to the use of the site, which does not operate in a way
optimal in case of rejection of essential cookies. She specifies that this warning is repeated
17
Ibid, Decision on the Merits 11/2022 - 21/32
in several different places on the site, and that in the new version of the site, a table
explaining the effects of rejecting cookies has been added.
86. The Litigation Chamber is of the opinion that the use of these terms allows users
to understand the practical consequence of rejecting the cookie. Nevertheless, beyond the
question of clearly informing the user about the “undesirable consequences”
(impossibility of using the site or limited use) related to the rejection of the cookie, to
Subsidiarily, the Litigation Chamber stresses that this “cookiewall” practice does not
can be tracked only when the rejected cookie is a strictly necessary cookie (unless
the opposite of the case of a non-functional cookie) (see below, part IV.7.2 on this subject).
87. The defendant can therefore be followed when it maintains that these terms refer
sufficiently clear way to the use of the website.
88. C- Finally, the IS report argues that the reference to “additional information
» concerning cookies on the Google, Firefox, Windows sites, on the site of the
defendant is not understandable either in the absence of explanations
additional.
89. The defendant maintains that this reference to the “additional information” on the
cookies to the main browsers (Google, Firefox, Windows) is a practice
It specifies that most websites using cookies do the same, including
the ODA website. It specifies that the site even contains an additional information section
entitled “Get to know your computer’s privacy settings”,
which provides concrete explanations with supporting images.
90. In this context, the Litigation Division is of the opinion that the reference to the “information
additional” on browser cookies (Google, Firefox, Windows) is
understandable enough for the user.
IV.3.2- As to the fact that the information is not complete
91. The IS then argues that the information contained in the Life Policy document
defendant's privacy are not complete for two reasons.
92. A- Firstly, the SI raises that the existence of the right to withdraw consent at any
moment is not mentioned for the processing of personal data, but
only for the management of cookies.
93. Article 7.3 of the GDPR lays down strict conditions for the withdrawal of consent
valid: (a) the data subject has the right to withdraw consent at any time,
(b) it must be informed in advance, and (c) it must be as simple to withdraw as to
to give his consent. Pursuant to article 129, last paragraph of the ECL, the person responsible, Decision on the merits 11/2022 - 22/32
of the processing is obliged to give "free of charge" the possibility to end users of
the terminal equipment concerned "to withdraw consent in a simple manner".
94. This right to withdraw consent must therefore be subject to prior information
(Article 7.3.b), and should also be read in conjunction with the requirement for processing
fair and transparent within the meaning of Article 5 and Article 13.2.c of the GDPR. A
non-existent or incomplete information concerning the right to withdraw consent
would imply that the consent would be given de facto for an infinite period and that the
data subject would be deprived of their right to withdraw their consent. These rules
apply both with regard to "first party" cookies and those of
"third party ".
95. The defendant replies that except for analytical cookies (and in the rare cases where
personal data is contained in a contact form), the site does not process
no personal data for which consent is required. However, the statement
privacy policy indicates that users of the site can erase cookies,
which amounts, unequivocally according to the defendant, to withdrawing their consent. She
concludes that further mention of the existence of the right to withdraw consent
is not necessary.
96. The defendant adds that the APD does the same on its own website, that is to say uses
also analytical cookies based on consent (and consent forms)
contact), without explicit mention of the “right to withdraw consent” in its
"Data Protection Statement".
97. The Litigation Division takes note of the fact that in the current version of the page "
Protection of your privacy", a specific statement on the existence of the right to withdraw
his consent for the processing of personal data has been inserted, and considers
that the information is sufficiently complete.
IV.4- Regarding breaches of Article 30 of the GDPR
98. The IS also points out that the processing register does not mention third countries
to whom several categories of personal data are transmitted, but merely
a reference to documents from subcontractors with whom it has entered into agreements.
99. The defendant replies that the register is based on a model of a European regulator,
which includes referrals. She explains that she works with different subcontractors
Americans providing cloud computing type services, and that the information on
these third countries may vary according to their servers and types of services. She adds that the
purpose of the references to these documents of its subcontractors is to have information
always complete and up-to-date. It also clarifies that this concerns only, Decision on the merits 11/2022 - 23/32
a few boxes of the register, that it is otherwise completed in accordance with the GDPR, and
that it does not prohibit doing so.
100. The Litigation Chamber strongly recommends that third countries be indicated and
easily identifiable in the processing register, particularly in view of the
recent case law of the CJEU in terms of transfer to third countries. On the basis of
Article 100.9 of the LCA, it orders the defendant to adapt its register of
processing by clearly indicating the third countries to which data are sent
personal data, to better respond to the case law of the CJEU.
IV.5- Regarding breaches of Articles 24 and 32 of the GDPR
101. The IS criticizes the use of the protocol (url link) http and not https, in that this
constitutes a breach of the security obligation.
102. The defendant replies that since January 15, 2020 the site has switched to the protocol
https. She also explains that this migration has been an ongoing project since 2014, but that
its implementation has been long and difficult due to the fact that it must collaborate with all
its members (more than a hundred). She adds that since her site only processes a small amount of data
personal data, the risks for the persons concerned were low, and that
given the risk-based approach of the GDPR, this migration to the https protocol
was not necessarily necessary.
103. Without pronouncing further on this subject, the Litigation Chamber takes note of the
migration of the site to the https protocol, and notes that the breach mentioned in the report
of the IS is therefore no longer relevant.
IV.6- Regarding breaches of Articles 24 and 37 of the GDPR
104. In addition, the IS criticizes the absence of an official decision documenting the choice to appoint
whether or not a Data Protection Officer (DPO hereafter), and considers that the defendant should have
appoint a DPO because it uses a cookie which allows “regular and systematic monitoring at
large scale of the persons concerned”.
105. The respondent notes that the GDPR does not require a formal procedure to be followed for
the decision to appoint a DPO or not, and that documenting the reasons for this
decision not to appoint is a recommendation and not an obligation.
18 Judgment of the Court of 16 July 2020, C-311/18, Facebook Ireland and Schrems, ECLI:EU:C:2020:559. (“Schrems II case”), Decision on the merits 11/2022 - 24/32
106. Next, concerning the cookie which, according to the IS, allows "regular and systematic monitoring at
large scale of the persons concerned”, the defendant replies that the cookie is not
no longer used since April 2020. She adds that even when used, this cookie does not
did not justify appointing a DPO because this cookie was not an identifier since it was the
even for everyone therefore did not allow to follow a user”. Nevertheless,
insofar as this cookie contained personal data, it allowed
to identify the persons concerned.
107. The defendant argues that there was no “large-scale monitoring”, and that even if
its cookies allowed “systematic and large-scale monitoring” -quod non-, it would have
still had to constitute a “basic activity” of the defendant, which was not
not the case (proof would be that today it continues its same activities but without the
cookie in question).
108. The Litigation Division is of the opinion that the defendant can be followed when it
argues that the GDPR does not require you to follow a formal procedure for the decision to
appoint a DPO or not, and that documenting the reasons for this decision not to
not naming any is a recommendation and not an obligation.
109.Concerning the obligation to appoint a DPO, the Litigation Chamber recalls the prescribed
of Article 37.1.b) of the GDPR, according to which data controller must appoint a DPO
if “the core activities of the controller or processor consist of
processing operations which, due to their nature, their scope and/or their
purposes, require regular and systematic monitoring on a large scale of people
concerned”. This article should be read in conjunction with the Guidelines
concerning the Group's data protection officers article 29 . Without
of “systematic and large-scale monitoring”, it cannot be concluded that there has been a breach
in Article 37 of the GDPR.
IV.7- Regarding the content of the complaint
110. After considering the shortcomings raised by the IS, the Litigation Chamber
examines below the grievances as expressed by the complainant in his complaint.
111. As indicated above n°12 to 14, the complainant raises two grievances in his complaint. He indicates
in the first place that the tool for selecting advertising preferences does not
does not work, in that the opt-out cookie for many third parties
does not work (although he clicks the decline option, the accept option re-engages
19
WP243rev., Decision on the merits 11/2022 - 25/32
automatically). He thus raises that his consent to these cookies is forced and therefore
not free within the meaning of Articles 4.11 and 7 of the GDPR.
112. He also complains that the website requires the user to accept cookies in order to
be able to select their advertising preferences. The cookie in question makes it possible to
inform the defendant whether or not the user's browser accepts the
third-party cookies. The Litigation Chamber therefore understands that the plaintiff
opposes the placement of the cookie, as well as the subsequent processing of its data
personal by the defendant.
IV.7.1- Concerning the complainant's first grievance, relating to the malfunctioning of
the tool for choosing advertising preferences
113. The respondent responds to the complainant's first grievance that it is clearly indicated on his
site (in the same tool for choosing preferences as well as in the General Conditions
of use) that when using ad blocking software, the tool of choice may
not work. It also appears from the print screen of the complainant's browser
in the IS report that it actually uses such software. The IS report (based
in particular on the technical analysis report which includes a test of the good
operation of the control tool) does not raise any malfunction of the control tool
control. Therefore, the Litigation Chamber cannot support the complainant in his grievance.
that his consent would be forced, in violation of articles 4.11 and 7 of the GDPR.
IV.7.2- Regarding the complainant's grievance that the defendant's website obliges
the user to accept cookies in order to be able to use the site, a practice known as "cookie
wall»
114. Before examining the specific issue of the cookie wall, for educational purposes, the
Litigation Division considers it useful to recall the rules regarding
consent.
IV.7.2.1- Concerning the criteria for valid consent
115. Article 4.11 of the GDPR defines the “consent” of the data subject as
following: "any manifestation of will, free, specific, enlightened and unequivocal by
which the person concerned accepts, by a declaration or by a clear positive act, that
personal data concerning him are processed”.
116. Article 7 of the GDPR also sets out the conditions applicable to consent:
“1. In cases where processing is based on consent, the controller
is able to demonstrate that the data subject has given consent to the
processing of personal data relating to him., Decision on the merits 11/2022 - 26/32
2. If the consent of the data subject is given in the context of a
written statement which also concerns other matters, the request for
consent is presented in a form that clearly distinguishes it from these other
questions, in an understandable and easily accessible form, and formulated in
plain and simple terms. No part of this statement that constitutes a violation of the
this regulation is not binding.
3. The data subject has the right to withdraw consent at any time. the
Withdrawal of consent does not affect the lawfulness of processing based on the
consent given before this withdrawal. The person concerned is informed before
giving consent. Withdrawing is as easy as giving consent.
4. When determining whether consent is freely given, consideration should be given to
the greatest account of the question of knowing, inter alia, whether the performance of a contract,
including the provision of a service, is subject to consent to the processing of
personal data which is not necessary for the execution of the said contract.”
117. Also, according to recital 43 of the GDPR, “consent is presumed not to have
freely given if separate consent cannot be given to different
personal data processing operations although it is appropriate
in the present case".
118. Furthermore, Article 5.3 of the ePrivacy Directive, as transposed by Article 129 of the
LCE, lays down the condition that the user "has given his consent" for the placement and
the consultation of cookies on its terminal equipment, with the exception of
the technical recording of information or the provision of a requested service
expressly by the Subscriber or End User when placing a cookie is
strictly necessary for this purpose.
119.As indicated above, a cookie is qualified as “functional” when it is
indispensable for carrying out the sending of a communication via a communications network
electronically or to provide an expressly requested service.
120. Recital 17 of this Directive specifies that for its application, the notion of
"consent" shall have the same meaning as "consent of the person
data subject", as defined and specified in the Data Protection Directive 95/46 20
now replaced by the GDPR.
121. In the Planet judgment49, the Court of Justice of the European Union clarified the requirement of
consent for the placement of cookies following the entry into force of the GDPR and
explained that explicit active consent was now required:
20Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data., Decision on the substance 11/2022 - 27/32
"Active consent is thus now expressly provided for by the Regulation
2016/679. It should be noted in this regard that, according to recital 32 of that regulation,
the expression of consent could be done in particular by ticking a box when
consultation of a website. That recital, on the other hand, expressly excludes
there is consent “in the event of silence, default ticking or inactivity”. He
it follows that the consent referred to in Article 2(f) and Article 5(3) of the
Directive 2002/58, read in conjunction with Article 4(11) and Article 6(1),
under a), of Regulation 2016/679, is not validly given when the storage
information or access to information already stored in the terminal equipment of
the user of a website is authorized by a box checked by default that the user
must uncheck to refuse consent." 21
122. The consent must also be "specific". The Litigation Chamber refers to the
22
Guidelines on consent within the meaning of Regulation 2016/679 which have been
ratified by the EDPB:
"Article 6(1)(a) confirms that the consent of the person
concerned must be given in connection with "one or more specific purposes" and that the
23
data subject has a choice “regarding each of these purposes”. This means
"that a data controller who seeks consent for various purposes
should provide separate consent for each purpose so that
users can give specific consent for specific purposes." 24
123. More specifically, the user of the website should receive information
among other things on the methods of expressing his will about cookies, and
how he can "accept them all, accept only some or none". 25
124. For example, confirming a purchase or accepting terms and conditions is not sufficient
therefore not to consider that the consent has been validly given to the placement or
when reading cookies. Nor can consent be given for the sole
"use" of cookies, without further details as to the data collected via these cookies
or as to the purposes for which this data is collected. The GDPR requires, in
indeed, a more detailed choice than a simple “all or nothing”, but it does not however require a
21
Planet49 stop, points 61 and 62
22Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679,
WP259, p. 4
23
Ibid, p. 14.
24
Ibid, p. 14.
25Data Protection Working Party, Working Document 02/2013, setting out guidelines on the collection
consent for the deposit of cookies, p. 3, https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp208_fr.pdf, Decision on the merits 11/2022 - 28/32
consent for each cookie individually. If the manager of a site or a
mobile application seeks consent for several types of cookies, the user
must have the choice to give consent (or refuse) for each type of
cookies, or even, in a second layer of information, for each cookie
individually.
125. This position is also defended by the CNIL, which considers that the fact of “collecting
a single consent for several processing operations simultaneously
meeting distinct purposes (the coupling of purposes), without the possibility of accepting or
to refuse purpose by purpose, is also likely to affect, in certain cases, the
freedom of choice of the user and therefore the validity of his consent. » 26
126. The Litigation Chamber refers in this respect to the Guidelines of the Group of
work on data protection on how to obtain consent. According to
the Data Protection Working Party, consent must be obtained by
27
cookie or by cookie category.
IV.7.2.2- Concerning the complainant's second grievance and the practice of the "cookie wall"
127. With regard to the complainant's second allegation (namely that he is obliged to accept
cookies to be able to select his advertising preferences - and that he opposes the
subsequent processing of his personal data by the defendant-), the Chamber
Litigation recalls that consent must be free. Indeed, as indicated
supra, the GDPR imposes to “take the greatest account of the question of knowing, between
others, if the performance of a contract, including the provision of a service, is subject to the
consent to the processing of personal data which is not necessary for
performance of the said contract”. According to recital 42 of the GDPR, which clarifies the requirement
of freedom of consent set out in its article 4, “consent should not be
considered to have been freely given if the person concerned does not have
genuine freedom of choice or is unable to refuse or withdraw his
consent without prejudice”.
28
128. The EDPB condemns, in its recent guidelines, the practice which makes the
provision of a service or access to a website to the acceptance of write operations or
reading on the user's terminal, or "cookie wall". We thus read that "In order that the
consent is given freely, access to the services and functionalities must not
26
Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82
of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to "
cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 17-19
27
Ibid.
28EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, 4 May 2020, point 39, p.13, Decision on the merits 11/2022 - 29/32
be conditioned on the consent of a user to the storage of information, or to the access
information already stored on a user's terminal equipment". The EDPB adds,
regarding consent, that:
“The controller must demonstrate “that it is possible to refuse or withdraw
consent without prejudice (recital 42). For example, the manager
of the processing must prove that the withdrawal of consent does not generate costs for the
person concerned and that there is therefore no obvious disadvantage for those who withdraw
their consent.
47. Other examples of harm are deception, intimidation, coercion or any
significant negative consequence if the person concerned refuses to give his
consent. The controller should be able to prove that the
data subject has real freedom of choice regarding the decision to
whether or not to give consent and that it is possible to withdraw consent without
suffer harm.
48. If a data controller is able to demonstrate that a service includes the
possibility of withdrawing consent without suffering negative consequences, i.e.
say without the quality of service being reduced to the detriment of the user, this can
constitute proof that the consent was freely given. The GDPR does not exclude
all incentives, but it will be up to the data controller to demonstrate that the
consent was given freely in all circumstances.”
129. The guidelines include concrete examples:
“49. Example 8: when a user downloads a mobile application from the category
“lifestyle”, the latter seeks his consent to access the accelerometer of the
phone. This access is not necessary for the operation of the application, but is
useful for the data controller who wishes to know more about the movements and
the activity levels of its users. When the user later withdraws her
consent, she discovers that the application no longer works except in a
restraint. This is an example of harm within the meaning of recital 42, which means
that the consent was never validly obtained (and the controller must therefore
have all personal data relating to the movements of the
users collected in this way).
50- Example 9: A data subject subscribes to a newsletter of a
fashion brand with general discounts. The retailer requests the, Decision on the merits 11/2022 - 30/32
consent of the person concerned to collect more data on his
shopping preferences in order to adapt its offers to its preferences by
based on their purchase history or a questionnaire completed on a voluntary basis.
If the person concerned subsequently withdraws their consent, they will again receive
non-personalized reductions. This is not a prejudice, since only
the authorized incentive will have been lost.
51. Example 10: A fashion magazine gives its readers the opportunity to buy
new make-up products before their official launch.
52. The products will soon be available on the market, but readers of this review
benefit from an exclusive preview of these products. In order to take advantage of this
advantage, readers must give their mailing address and consent to their registration
on the journal's mailing list. The mailing address is required for shipping and
the mailing list is used for sending commercial offers for products such as
as cosmetics or t-shirts throughout the year.
53. The company explains that the data on the mailing list will only be used
for the sending of products and advertising leaflets by the magazine itself and will not be
in no way shared with other organizations.
54. If the reader does not wish to reveal his address for this purpose, he will suffer no prejudice
as long as the products are still accessible to him. »
130. The Respondent responds to the grievance raised by the Complainant in its conclusions that it is
indicated in several places on the site in question that the service provided via the tool of choice
advertising preferences is based on the use of cookies sent by the companies
participants, and that if the user does not wish to receive cookies, then he must not
use the service. It states more precisely in its conclusions (p19):
• “The very first page of the YOC Website (the one from which one can choose a
country and language), contains a link titled “How does this website work?” , which leads to
a page that says:
“When using the check tool function, small text files called
"cookies" are used by many of the companies listed to verify
your current status and make the choice you wish to exercise. These files are
essential to this function and help identify errors in its functionality. Yes
you want to ensure that these cookies are not used, please see our, Decision as to substance 11/2022 - 31/32
five main tips for more details on how to manage cookies in the
your browser's privacy settings. However, if you do, the tool
control will no longer function effectively” (Exhibit 9 – pages 1 and 2).
• The terms and conditions that govern the use of the YOC Website and the YOC Tool
indicate that:
“To be able to use the website (…), it is necessary that each of the companies
participants places a cookie on your web browser (the preference cookie) to
so that we can remember your selections. Information on the
cookies are available in our privacy policy: […]. If you use the
website (…) with another computer or browser, or if you erase/delete your
cookies, we will not be able to remember your preferences. You will need to return
on the website (…) to select your preferences again. Additionally, the website
internet (…) will not work properly if your browser is configured to
block cookies, as your preferences cannot be saved without use
of the preference cookie” (Exhibit 9 – page 3).
• The “Protection of your privacy” page indicates:
“This website covers the European Union/European Economic Area
(EU/EEA), as well as Switzerland and Turkey and includes easy-to-use functionality (to
which any user can access from any of the countries of the
list) that will disable online behavioral advertising for users (from
participating companies) who will choose […] Please note that disabling the
cookies for this purpose will prevent the control tool from functioning. »
131. The Litigation Chamber notes that the user is therefore well informed of the fact that
the use of these preference cookies is necessary for the operation of the site, and that
the site imposes the choice to accept this system or not to use the website. The
Chamber emphasizes that this reasoning can only be followed insofar as it concerns
strictly necessary cookies, these cookies do not require the consent of the
the user. In this case, the processing subsequent to the placement of cookies
is not based on consent, but on the legitimate interest of the data controller
(Article 6.1.f) of the GDPR).
132. Conversely, this reasoning must be rejected in cases where it concerns cookies that are not
strictly necessary. Indeed, the user must be able to accept or refuse, to
each application and each website, the deposit of non-functional cookies without
coercion, pressure or outside influence. This requirement implies, inter alia, that, Decision on the merits 11/2022 - 32/32
the user cannot be refused certain services or advantages on the grounds that he would not have
not consented to the use of non-functional cookies. The user who refuses a cookie
requiring consent must be able to continue to benefit from the service, such as access to
a website.
133. In the present case, insofar as the cookie in question is strictly necessary,
the complainant's grievance cannot be upheld. There is therefore no breach of Article 6.1.a)
of the GDPR, linked to the practice of “cookie walls”.
134. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation and in accordance with Article 100.1, 16° of the LCA, this decision is
published on the website of the Data Protection Authority by deleting the
identification data of the parties, since these are neither necessary nor relevant
in the context of the publication of this decision.
FOR THESE REASONS,
THE LITIGATION CHAMBER
Decides, after deliberation:
- On the basis of Article 100, § 1, 9° of the LCA, an order for compliance of the register of
treatment of the defendant, as indicated above
- On the basis of article 100, § 1, 5° of the LCA, a reprimand
Pursuant to Article 108, § 1 of the LCA, this decision may be appealed to the
Court of Markets (Brussels Court of Appeal) within 30 days of its
notification, with the Data Protection Authority as defendant.
(se). Hielke Hijmans
President of the Litigation Chamber
