DSB (Austria) - D124.0507/24 2024-0.633.166: Difference between revisions

From GDPRhub
m (Changed short summary)
Line 103: Line 103:


<pre>
<pre>
Barichgasse 40-42
Barichgasse 40-42
A-1030 Vienna 
Tel.: +43-1-52152 302549 
E-Mail: dsb@dsb.gv.at 
File No.: D124.0507/24  2024-0.633.166 
Officer in Charge:
For the attention of NOYB 
Data Protection Complaint (Article 77(1) GDPR, § 24(1) DSG) 
Against 
Austrian Broadcasting Corporation (ORF) 
Delivered via Email


A-1030 Vienna
Decision 
Ruling


Tel.: +43-1-52152 302549
The Data Protection Authority (DPA) hereby issues a decision concerning the data protection complaint lodged by (complainant), represented by NOYB – European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, dated 11 August 2021, against the Public Foundation, Austrian Broadcasting Corporation (Respondent), represented by Schönherr Rechtsanwälte GmbH, regarding (A) the right to erasure and the obligation to inform about the erasure, and (B) the request to order the Respondent to cease unlawful processing activities, as follows:
 
E-mail: dsb@dsb.gv.at
 
GZ: D124.0507/24 Clerk:
 
2024-0.633.166
 
AT NOYB
 
Data protection complaint (Art. 77 para. 1 GDPR, Section 24 para. 1 DSG)
 
/Austrian Broadcasting Corporation (ORF)
 
by email:
 
DECISION
 
APPEAL
 
The data protection authority decides on the data protection complaint from
 
(complainant party), represented by NOYB – European Center for Digital Rights,
 
Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, dated August 11, 2021 against the foundation
 
under public law, Austrian Broadcasting (respondent), represented by Schönherr
 
Rechtsanwälte GmbH, due to A) the right to erasure and the obligation to notify in connection with the
 
erasure and B) the application for an order against the respondent to stop the unlawful
 
processing, as follows:


1) The complaint is dismissed.
1) The complaint is dismissed.
2) The Respondent is hereby ordered ex officio to, within six weeks,
  a) modify the consent request (cookie banner, see Finding of Facts C.6.) on the website www.orf.at to ensure that valid consent is obtained upon visiting the website. To this end, the Respondent must modify the cookie banner to provide the data subject with an equal choice on the first level of the cookie banner between "Accept all cookies" and "Only necessary cookies". It must be ensured that both options are designed equally in terms of visual appearance, including color, size, contrast, placement, and emphasis. It is not permissible to highlight one of the options through an excessively prominent design, such as preferred color, larger font size, or more prominent placement.
  b) modify the website www.orf.at to ensure that the following cookies are not set prior to obtaining consent upon visiting this website:
      i) ioam2018 (see Finding of Facts C.7.);
      ii) i00 (see Finding of Facts C.7.);
      iii) UserID1 (see Finding of Facts C.7.);
      iv) autouserid2 (see Finding of Facts C.7.).


2) The respondent is ordered officially to
Legal Basis: Articles 4(11), 5(1)(a), 7, 12(1), 17, 19, 57(1)(f), 58(2) and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ L 119, 4.5.2016, p. 1; §§ 18(1) and 24(1), (2)(5), (4) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 165 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended; § 1(1) of the Austrian Broadcasting Act (ORF-G), Federal Law Gazette No. 379/1984 as amended.
 
amend the request for consent (the cookie banner, see statement of facts C.6.) on
 
the website www.orf.at within a period of six weeks in such a way that a valid
 
consent is obtained when visiting the website. To this end, the respondent must in any case
 
amend the cookie banner in such a way that the data subject is offered an
 
equivalent choice between “Accept all cookies” and “Only necessary
 
cookies” on the first level of the cookie banner. It must be ensured that both options are designed equally in terms of
 
visual design, including color, size, contrast, placement and emphasis. It is not permitted to emphasize one of the options through
 
an overly conspicuous design, such as a preferred color scheme, a larger font size or
 
a more prominent placement. - 2 –
 
b) Modify the website www.orf.at in such a way that when visiting this website before giving consent, the following cookies are not set:
 
i) ioam2018 (see fact finding C.7.);
 
ii) i00 (see fact finding C.7.);
 
iii) UserID1 (see fact finding C.7.);
 
iv) autouserid2 (see fact finding C.7.).
 
Legal basis: Article 4, paragraph 11, Article 5, paragraph 1, letter a, Article 7, Article 12, paragraph 1, Article 17, Article 19, Article 57, paragraph 1, letter f, Article 58, paragraph 2 and Article 77, paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ No. L 119 of 4 May 2016, p. 1; Sections 18, paragraph 1 and 24, paragraph 1, paragraph 2, item 5, paragraph 4 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 165 of the
 
Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended; Section 1 Paragraph 1 of the ORF
 
Act (ORF-G), Federal Law Gazette No. 379/1984 as amended. - 3 -
 
REASONING
 
A. Arguments of the parties and course of proceedings
 
A.1. In a submission dated August 11, 2021, the complaining party (hereinafter: bP)
 
summarized the following:
 
The bP visited the website of the respondent (hereinafter: BG) at www.orf.at on January 20, 2021. The website displayed a cookie banner. Cookies were set, some with
 
a unique user identification number (“unique ID”). A summary of all HTTP requests and responses is attached as an appendix. The term “relevant processing activities” is used for all processing activities for which the BG wants to establish a legal basis within the framework of the cookie banner. Due to the design of the cookie banner mentioned, several violations have occurred. It cannot be assumed that there was valid consent. It is requested that the BG be instructed to stop all relevant processing activities and to delete all relevant personal data. The GDPR allows the competent supervisory authority to make an order that goes beyond the personal data of the bP. The present complaint (case number C-037-401) is directed against ORF Online and Teletext GmbH & Co KG. Several attachments were attached to the submission. A.2. In a statement dated July 10, 2023, ORF Online and Teletext GmbH & Co KG
 
summarized the following:
 
The Austrian Broadcasting Corporation is responsible for storing cookie values and other device information, which is also evident from the cookie guidelines. On the other hand, ORF
 
Online and Teletext GmbH & Co KG is not responsible.
 
A.3. In a statement dated July 26, 2023, the bP summarized the following:
 
Based on the statement by ORF Online and Teletext GmbH & Co KG, the complaint is directed against the BG (Austrian Broadcasting Corporation). The list of controllers and processors available online at https://orf.at/stories/datenschutz-verantwortliche/ does not indicate which legal entity is responsible for which data processing.
 
A.4. In a statement dated September 4, 2023, the BG summarized the following:
 
The change of the respondent was inadmissible due to preclusion because the subjective preclusion period had expired. An official correction of the designation was inadmissible. The bP's
 
applications were also inadmissible because none of the applications made in the data protection complaint had been lawfully carried out. The bP had not specified the facts and it was
 
unreasonable to check the .har file (Appendix 5). This contains around 17,000 lines. Regardless of this, the BG checked the file. A large part of the cookies were not set by the BG, but by the domain "derstandard.at". There was no cooperation with "derstandard.at" at the time of the proceedings. The bP had also not submitted an application for
 
deletion. The complaint was also unfounded in terms of content. It can also be assumed that
the bP only visited the website to create an auto-generated complaint. The
 
complaint is not a highly personal exercise of claim, but rather an inadmissible
 
association complaint. In addition, the BG answered the questions of the data protection authority.
 
A.5. In a statement dated November 8, 2023, the bP summarized the following:
 
The bP refers to the previous submissions, according to which, based on the online list of
 
the ORF's controllers and processors, it is unclear for which data processing the
 
various legal entities of the ORF are responsible. In this respect, the complaint was
 
originally directed against the body that was thought to be the operator of the website www.orf.at.
 
The information is still available today that ORF Online and Teletext GmbH & Co KG is responsible for
 
www.orf.at. In addition, the complaint was submitted on time and
 
the applications submitted were admissible. It was merely pointed out that the data protection authority could issue orders that went beyond the complainant (presumably meaning his data). Regarding the .har file, it should be noted that it also contains visits to the website "derstandard.at". This is relevant to show that it is a "normal" internet visit in which several websites were visited. A URL search for orf.at resulted in 357. There is therefore a direct or indirect correlation. An application for deletion is not required to assert the right to deletion. The cookie banner still does not meet the data protection requirements. A.6. In its statement of March 28, 2024, the BG summarized the following: The bP submitted an appendix 4 when submitting the complaint in question. It can be assumed that the bP is aware of the content of appendix 4. In Appendix 4, the ORF is expressly named as the responsible party. The party declaration (meaning the original name of the respondent) is not open to any other interpretation due to its express nature. In principle, however, this can be left open, since - as already stated in the statement of September 4, 2023 - the bP's request for deletion was complied with. The proceedings should be discontinued in accordance with Section 24 (6) of the Data Protection Act. With regard to the alleged continuous violation of law, it should be noted that this should not be regarded as a change to the application initiating the proceedings, since such a change would be inadmissible due to the preclusion that has occurred. The submission cannot be regarded as a new complaint either, since the party declaration shows that the bP wants to continue to maintain the original data protection complaint. The reference to the "IDE" cookie does not change the preclusion. The bP did not even claim that the same "IDE cookie value" was stored in the browser at the time in question (January 20, 2021). In summary, the bP's request for deletion was granted. The BG also redesigned the entire ORF website (including the cookie banner).
 
A.7. In a statement dated April 17, 2024, the bP repeated the previous submissions in
 
essentials.
 
A.8. In a settlement dated August 2, 2024, the data protection authority requested the BG as follows (excerpt):
 
"Subject: Request for a statement
 
The data protection authority encloses the complainant's statement dated April 17, 2024. The data protection authority has since taken note of the changes on the website
 
www.orf.at.
 
You are requested to comment on the complainant's statement and the following
 
points within two weeks of receiving this letter and, if necessary, to provide or state appropriate evidence to prove your own submission:
 
x Why are the cookies "ioam2018" and "i00" set before consent is given? Insofar as Section 7 ORF-G is cited in this regard, they are asked to explain to what extent this can be reconciled with Section 165 Paragraph 3 TKG 2021 or Article 5 Paragraph 3 of Directive 2002/58/EC. x For what purpose is the "Accept all cookies" field colored blue, while the other two fields do not have a color that stands out from the background?" A.9. In a statement dated August 16, 2024, the BG summarized the following: The "Accept all cookies" button is colored blue because the entire website is primarily designed in white and blue. The color contrast makes it easier for users to make a selection. The white buttons are also clearly visible against the light gray background. The legality of the data processing in question derives from the BG's legal obligation to measure reach in accordance with Sections 4e and 7 of the ORF Act. The measurement is absolutely necessary in order to comply with the legal mandate. The data collection through the cookies "ioam2018" and "i00" is - as a precaution - based both on the legal basis of fulfilling a legal obligation and on the performance of a task that is in the public interest. The BG has asked the Austrian Web Analysis (ÖWA), which acts as the BG's service provider, to delete the corresponding cookie values. Furthermore, these cookie values are not personal data. The data protection authority is not responsible for the implementation of Section 165 Paragraph 3 of the TKG 2021. A.10. In a statement dated March 28, 2024, the bP summarized the following: - 6 -
 
In the bP's opinion, the design of the cookie banner and the button colors chosen are misleading. The color design has a significant influence on users' choices, which has been academically proven. The standards cited by the BG are not a suitable basis for data processing, especially since the ORF-G does not provide for how the reach is to be measured. There are other options than tracking cookies. In addition, the cookies "ioam2018" and "i00" (or their values) are personal data from a legal point of view.
 
B. Subject of the complaint
 
B.1. Based on the bP's submission, a decision must be made as to whether the BG should be ordered to A) delete the bP's
 
personal data (the cookie values) and inform the recipients of the deletion,
 
and B) stop the "relevant processing activities".
 
By "relevant processing activities", the bP refers to those cookies (and similar
 
technologies) that were used during the bP's visit to www.orf.at on January 20, 2021.
 
B.2. However, it must first be checked whether the complaint - as raised by the BG - is not
 
already precluded under Section 24 (4) DSG.
 
C. Findings of fact
 
C.1. Cookies can be used to collect information that has been generated by a website and stored via an Internet user's
 
browser. It is a small file or text information (usually less than one kilobyte) that is placed by a website on the hard drive of an Internet user's computer or mobile device through an Internet user's browser. A cookie allows the website to "remember" the user's actions or preferences. Most web browsers support cookies, but users can set their browsers to refuse cookies. They can also delete cookies at any time. Websites use cookies to identify users, remember their customers' preferences, and allow users to complete tasks without having to re-enter information when they move to another page or return to the website later. Cookies can also be used to collect information based on online behavior for targeted advertising and marketing. For example, companies use software to track user behavior and create personal profiles that allow users to be shown advertising tailored to their previous searches. Assessment of evidence C.1.: The statements on the functionality of cookies come from the
 
Opinion of the Advocate General of 21 March 2019 in case C-673/17 (Planet 49), para. 36 ff with further references. - 7 -
 
Since this is a case-independent and general technical description of the possible
 
functions of cookies, these statements had to be included at the factual level - and not in the
 
legal assessment.
 
C.2. The BG is the operator of the website www.orf.at. It decides under which
 
conditions which cookies are set or read when the website is accessed.
 
Assessment of evidence C.2.: The findings made are based on the BG's statement of
 
10 July 2023. The bP did not subsequently dispute this argument. The
 
Data Protection Authority has no indications to cast doubt on the BG's argument.
 
C.3. The bP visited the website www.orf.at at least on January 20, 2021.
 
The cookie banner looked as follows on January 20, 2021: - 8 –
 
Figure 1
 
Evaluation of evidence C.3.: The findings made are based on the bP's entry of August 11, 2021 and are undisputed. The screenshot is based on the attachment "Appendix 2.png" submitted by the bP.
 
C.4. As a result of visiting the website www.orf.at, cookies were set and read on the bP's device on January 20, 2021, which contained a unique, randomly generated value (Universally Unique Identifier, hereinafter: UUID).
 
The content of the attachments "Appendix 5.har" and "Appendix 6.csv" is used as the basis for the findings of fact.
 
Assessment of evidence C.4.: The findings are based on the bP's submission of August 11, 2021 and the submitted attachments "Appendix 5.har" and "Appendix 6.csv". The BG's statement of September 4, 2023, according to which the cited attachments also contain information about accessing other websites (such as www.derstandard.at), is not overlooked. However, as the bP correctly states in its statement of November 8, 2023, the attachments contain - 9 - information about an internet visit during which several websites were accessed. In fact, a search for the URL "orf.at" results in numerous hits in the attachments. In this respect, the bP's argument is proven by the submission of these attachments. C.5. The BG is currently not storing any cookie values that were set and read on the bP's device as a result of the visit to
www.orf.at on January 20, 2021.
 
The BG has also informed the recipients of the data transmission (specifically the providers of the services that
 
it has implemented on its website) of the deletion.
 
Evaluation of evidence C.5.: The findings made are based on the BG's statements of
 
March 28, 2024 and August 16, 2024. At the request of the data protection authority, the
 
BG stated that - without prejudice to the arguments put forward - the relevant data (the
 
cookie values) had been deleted and a notification had been sent to the service providers. The bP
 
did not dispute this claim, but merely pointed out that no evidence had been
 
presented. In the opinion of the data protection authority, there are no indications to cast doubt on the BG's
 
statement, especially since the BG has been very cooperative during the investigation and has adapted the cookie banner - albeit not to the complete satisfaction of
 
all parties and the data protection authority. Overall, there are no
 
investigation results that would justify a contrary finding.
 
C.6. The BG has adapted its cookie banner (the request for consent) on the website www.orf.at.
 
At the current time, the BG's cookie banner looks as follows: - 10 -
 
Figure 2
 
The background of the cookie banner (hexadecimal color code #f0f1f4) is a
 
very light shade of blue.
 
The "Accept all cookies" button is a dark blue shade
 
(hexadecimal color code #466199).
 
The “Cookie preferences” and “Only necessary cookies” button is a
 
white shade (hexadecimal color code #FFFFFF). - 11 –
 
The contrast ratio of #466199 (“Accept all cookies” button) to #f0f1f4 (background
 
of the cookie banner) is 5.42:1 and is rated “Good” according to the Color Contrast Checker at
 
https://coolors.co/contrast-checker.
 
The contrast ratio of #FFFFFF (“Cookie preferences” and “Only necessary cookies” buttons) to #f0f1f4 (background of the cookie banner) is 1.13:1 and is classified as “Very poor” according to the Color
Contrast Checker at https://coolors.co/contrast-checker.
 
A contrast of 3:1 is recommended as the minimum contrast according to ISO-9241–3.
 
If the “Cookie preferences” option is selected, the following button appears:
 
Figure 3
 
Evaluation of evidence C.6.: The findings made regarding the cookie banner are based on an
 
official research by the data protection authority on the website www.orf.at, last accessed on
 
October 28, 2024. The finding that the BG has adapted the cookie banner also arises
 
from the present file and is undisputed. The findings on the selected colors of the cookie banner and buttons are based on an official research at https://encycolorpedia.de/ (last accessed on October 28, 2024). The findings on the contrast ratios are based on the publicly accessible website www.orf.at and https://coolors.co/contrast-checker (last accessed on October 24, 2024). The findings on the - 12 - ISO standard are based on the content of ISO-9241–3. The recommended contrast of the aforementioned ISO standard is also discussed at https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on October 24, 2024). C.7. When you visit the website www.orf.at, the following cookies are set or read,
 
before any interaction with the displayed request for consent (cookie banner) takes place:
 
Domain name
 
orf.at ioam2018
 
iocnt.net i00
 
orf.at didomi_token
 
adfarm1.addtion.com UserID1
 
www.orf.at _autouserid2
 
The cookie “ioam2018” contains a UUID (for the definition of “UUID” see again
 
Fact finding C.4.). It is used to determine statistical parameters for the use of a
 
website. The provider is the Austrian Web Analysis (ÖWA). The following information can be found
 
at https://orf.at/stories/datenschutz-cookies/: “Stores a
 
client hash for the Austrian Web Analysis (ÖWA) to optimize the determination of the key figures
 
Unique Clients and Visits. This cookie is set in the context of the domain orf.at."
 
The cookie "i00" contains a UUID. It is used to recognize users' end devices. The following information can be found at https://orf.at/stories/datenschutz-cookies/: "This cookie is used by the ÖWA to recognize end devices. If the cookie is suppressed, the ÖWA tries to recognize the device by combining the IP address and browser name. For apps, the ÖWA uses the so-called "Advertiser ID", unless the use of the "Advertiser ID" (advertising ID) is deactivated via the device settings (meaning: deactivated)."
 
"didomi token" contains a UUID. This is a tool for consent management
 
(Consent Solution).
 
The cookie "UserID1" contains a UUID. This cookie is used to re-target the user with online advertising based on the interest shown on the website.
 
The cookie "autouserid2" contains the same UUID as "UserID1". It is the first-party cookie equivalent to "UserID1" if third-party cookies are blocked. - 13 -
 
Evaluation of evidence C.7.: The findings made regarding the cookie banner and the cookies set are based on an official search by the data protection authority on the website www.orf.at, last accessed on October 28, 2024. The finding that the BG has adjusted the cookie banner is evident from the present file and is undisputed.
 
The findings regarding the function of the cookies are based on an official search at (each last accessed on October 28, 2024)
 
▯ https://orf.at/stories/datenschutz-cookies/ (information provided by the BG);
 
▯ https://oewa.at/tech-support/mcvd/ (for “ioam2018”);
 
▯ https://support.didomi.io/didomi-cookies-storage-1 (for “didomi_token”);
 
▯ https://www.ccm19.de/plugin.php?menuid=253&template=mv/templates/mv_show_front.html&
 
mv_id=1&extern_meta=x&mv_content_id=139&getlang=de and (for “UserID1”);
 
▯ https://github.com/jkwakman/Open-Cookie-Database/blob/master/open-cookie-database.csv
 
(also for “UserID1”);
 
▯ https://www.cookie.is/UserID1# (also for “UserID1”).
 
D. From a legal point of view, this results in:
 
Questions of jurisdiction
 
D.1. On the relationship between the e-Data Protection Directive and the GDPR
 
Processing operations of a matter can be subject to both the provisions of Directive 2002/58/EC as amended (e-Data Protection Directive) or the TKG 2021, as well as the GDPR.
 
While the setting or reading of cookies is to be assessed according to the requirements of Art. 5 (3) of the e-
 
Data Protection Directive, the subsequent data processing falls within the scope of the GDPR (cf. the EDSA Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and mobility-related


applications, version 2.0, para. 15 and para. 53).
Reasoning


This also corresponds to the legal opinion of the European Court of Justice in the Fashion ID case. This also assumed that, as a result of the implementation of a social plug-in on a website (this falls within the scope of the e-Privacy Directive), the transfer of the website visitor's data to Facebook Ireland Limited and the subsequent data processing fell within the scope of the (then) Directive 95/46 GDPR (see the ECJ judgment of 29 July 2019, C-40/17, para. 26 and in particular para. 85). In comparable cases, the Federal Administrative Court has also assumed that the data protection authority was responsible (see, among many others, the BVwG ruling of 26 April 2024, GZ: W211 2281997-1/5E mwN). - 14 –
A. Submissions of the Parties and Procedural History 
A.1. In their submission dated 11 August 2021, the complainant (hereinafter referred to as “CP”) summarised as follows:


The data protection authority is therefore responsible for the complaint in question because data processing (browser data, IP addresses, cookie values) has taken place as a result of setting or reading cookies (see statement of facts C.4) and the application of the GDPR is not excluded per se.
The CP visited the Respondent's website (hereinafter "R") at www.orf.at on 20 January 2021. The website displayed a cookie banner, and cookies were set, some containing a unique user identification number. A summary of all HTTP requests and responses was attached as an annex. For all processing activities that R sought to justify based on the cookie banner, the term "relevant processing activities" is used. Several violations occurred due to the design of the mentioned cookie banner, and valid consent could not be assumed. The CP requested that R be instructed to cease all relevant processing activities and delete all relevant personal data. The GDPR permits the supervisory authority to issue an order that goes beyond the personal data of the CP. This complaint (case number C-037-401) was directed against ORF Online and Teletext GmbH & Co KG. Several annexes were attached to the submission.


D.2. On the possible preclusion pursuant to Section 24 Para. 4 DSG
A.2. In their response dated 10 July 2023, ORF Online and Teletext GmbH & Co KG summarised as follows:


The BG argues that the right to have the bP's complaint dealt with is already precluded pursuant to Section 24 Para. 4 DSG.
The Austrian Broadcasting Corporation is responsible for storing cookie values and other device information, as evidenced by the cookie policy. However, ORF Online and Teletext GmbH & Co KG is not responsible.


To summarize the main points, the BG argues that it is clear from its data protection declaration that it (i.e. the foundation under public law, Austrian Broadcasting) is the
A.3. In a further statement dated 26 July 2023, the CP summarised as follows:


person responsible for the website www.orf.at. However, the bP originally directed the complaint against ORF Online and Teletext GmbH & Co KG and only subsequently "replaced" the BG.
Following ORF Online and Teletext GmbH & Co KG's response, the complaint is directed against R (Austrian Broadcasting Corporation). The online list of controllers and processors at https://orf.at/stories/datenschutz-verantwortliche/ does not indicate which legal entity is responsible for which data processing.


The BG's argument must be countered by the fact that the respondent is to be named (only) to the extent that this is reasonable, in accordance with Section 24 Paragraph 2 Item 2 of the Data Protection Act. The data protection authority agrees with the bP's argument that the person responsible for data protection for the website www.orf.at - based on the information at the time - was not clearly identified. Even at the current time, numerous legal entities of the ORF are listed at https://orf.at/stories/datenschutz-verantwortliche/ (as of October 28, 2024), although it is not explained for which specific processing operations the respective legal entities are responsible. This is not changed by the BG's reference to the content of Appendix 4, which was submitted by the bP. It is true that in Appendix 4 the ORF is named as the person responsible; however, as already explained, many legal entities can be understood by "ORF". In any case, the information provided by the BG does not meet the requirements of Art. 12 Para. 1 GDPR
A.4. In their statement dated 4 September 2023, R summarised as follows:


for clear and precise language.
The change of Respondent is impermissible due to preclusion, as the subjective preclusive period has elapsed. An ex officio correction of the designation is impermissible. The CP's applications are likewise inadmissible as none of the applications made in the data protection complaint were lawfully implemented. The CP did not specify the facts, and it would be unreasonable to review the .har file (Annex 5), which contains approximately 17,000 lines. Nevertheless, R reviewed the file, and most cookies were not set by R but by the domain "derstandard.at". There was no cooperation with "derstandard.at" at the time of the complaint. The CP also did not apply for deletion. The complaint is also substantively unfounded. It is also to be assumed that the CP visited the website only to generate an automatically generated complaint. The complaint is not a personal exercise of rights but rather an inadmissible association complaint. Furthermore, R responded to the DPA’s inquiries.


It follows that the limitation period of Section 24 Para. 2 Z 2 DSG only began to run after
A.5. In a statement dated 8 November 2023, the CP summarised as follows:


the responsibility for the bP had been sufficiently clarified. This was the case after the bP received the
The CP refers to previous submissions, stating that the online list of controllers and processors of ORF does not make it clear which legal entities of ORF are responsible for which data processing. Thus, the complaint was initially directed at the party presumed to be the operator of the website www.orf.at. The information is still available today that ORF Online and Teletext GmbH & Co KG is responsible for www.orf.at. Furthermore, the complaint was submitted within the time limit, and the applications made are admissible. It was merely indicated that the DPA could issue orders beyond the complainant (presumably the complainant’s data). Concerning the .har file, it is noted that it also contains visits to "derstandard.at". This is relevant to show that this was a "normal" internet visit, during which multiple websites were visited. A URL search for orf.at yielded 357 results. A direct or indirect correlation exists. An application for deletion is not required to assert the right to erasure. The cookie banner continues to fail to meet data protection requirements.


statement of the BG dated July 10, 2023. Subsequently, the bP clarified the BG on
A.6. In a statement dated 28 March 2024, R summarised as follows:


July 26, 2023 (see the decision of the VwGH of June 27, 2023, Ro 2023/04/0013, according to para. 34, for the correction of the respondent in the event of the unreasonableness of the designation).
The CP submitted Annex 4 as part of the complaint. It is assumed that the CP is aware of the content of Annex 4. In Annex 4, ORF is expressly designated as the controller. The designation of the party (i.e., the original designation of the Respondent) cannot be interpreted otherwise due to its explicitness. However, this can remain undecided since, as already stated in the statement dated 4 September 2023, the CP’s deletion request was granted. The procedure is to be discontinued according to § 24(6) DSG. As for the alleged continuous legal infringement, this does not constitute a change to the initial complaint, as such a change would be impermissible due to preclusion. The submission cannot be regarded as a new complaint, as the CP’s statement shows that they intend to maintain the original data protection complaint. The reference to the "IDE" cookie does not change the preclusion. The CP did not even claim that the same "IDE cookie value" was stored in the browser at the time in question (20 January 2021). In summary, the CP’s deletion request was granted. R also overhauled the entire ORF website (including the cookie banner).


The (absolute and subjective) limitation period is thus observed and the data protection authority is
A.7. In a statement dated 17 April 2024, the CP essentially reiterated the previous submissions.


responsible for deciding on the content of the complaint. - 15 –
A.8. In a communication dated 2 August 2024, the DPA requested that R provide a statement within two weeks and submit or specify any suitable evidence to substantiate its submissions. The DPA highlighted the following issues (excerpt):


D.3. Processing of personal data
"Subject: Request for Statement
The DPA hereby transmits the CP’s statement dated 17 April 2024. In the meantime, the DPA has noted the changes on the website www.orf.at.
You are requested to provide a statement on the CP’s submission and the following points:
  - Why are the cookies "ioam2018" and "i00" set before consent is given? If § 7 ORF-G is cited in this regard, please explain how this complies with § 165(3) TKG 2021 and Art. 5(3) of Directive 2002/58/EC.
  - Why is the "Accept All Cookies" button coloured blue, while the other buttons lack


In the Google Analytics case, the data protection authority has already stated – in accordance with the case law of the European Data Protection Supervisor (EDPS) – that cookies that contain a unique,
any distinctive colour?"


randomly generated value (Universally Unique Identifier, hereinafter: UUID) and that are set with the
A.9. In a statement dated 16 August 2024, R summarised as follows:


purpose of individualizing and separating people meet the definition of Art. 4 Z 1
The "Accept All Cookies" button is coloured blue because the entire website primarily uses the colours white and blue. The contrast facilitates selection for users. The white buttons are also clearly distinguished from the light grey background. The lawfulness of the data processing in question derives from the legal obligation of R to measure reach under §§ 4e, 7 ORF-G. Measurement is essential to fulfil the statutory mandate. The data collection by the cookies "ioam2018" and "i00" is based, as a precaution, on both the legal basis of compliance with a legal obligation and the exercise of a task carried out in the public interest. R has instructed the Austrian Web Analysis (ÖWA), which acts as a service provider for R, to delete the corresponding cookie values. Furthermore, these cookie values are not personal data. The DPA is not competent for enforcing § 165(3) TKG 2021.
GDPR. In particular, it can never be ruled out that the cookie values and the IP


address of a person's device are combined with additional information at some point in the processing chain, e.g. if the data subject registers on a website with
A.10. In a statement dated 28 March 2024, the CP summarised as follows:
their email address or real name (see the decision of April 22, 2022, GZ: 2022-


0.298.191, available on the website www.dsb.gv.at; this legal opinion is confirmed, among others, by the
According to the CP, the design of the cookie banner and the colours chosen for the buttons are misleading. Colour design has a significant impact on user choice, which has been academically proven. The norms cited by R do not provide an adequate basis for data processing, as the ORF-G does not stipulate how reach is to be measured. Other options than tracking cookies are available. Furthermore, the cookies "ioam2018" and "i00" (or their values) are legally considered personal data.


findings of the Federal Administrative Court of May 12, 2023, GZ: W245 2252208-1 and of April 26, 2024, GZ: W211
B. Subject of the Complaint 
B.1. Based on the CP’s submissions, it must be decided whether R is to be ordered to delete the CP’s personal data (cookie values) and to notify the recipients of this deletion, as well as to cease the "relevant processing activities".
The "relevant processing activities" refer to cookies (and similar technologies) used during the CP’s visit to www.orf.at on 20 January 2021.
B.2. However, it must first be examined whether, as R argues, the complaint is already time-barred under § 24(4) DSG.


2281997-1; on the personal reference of "Google Analytics cookies" also the decision of the EDSB
C. Findings of Facts 
against the European Parliament of January 5, 2022, GZ: 2020-1013, p. 13).
C.1. Cookies allow information generated by a website to be stored and saved via the user’s browser. It is a small file or text information (generally less than 1 KB) that a website places on a user’s computer or mobile device through the browser.
A cookie allows the website to "remember" the user’s actions or preferences. Most web browsers support cookies, but users can set their browsers to reject cookies and can delete them at any time.
Websites use cookies to identify users, remember their preferences, and enable users to complete tasks without re-entering information when switching pages or returning to the website.
Cookies can also be used to collect information based on online behaviour for targeted advertising and marketing. For example, companies use software to track user behaviour and create personal profiles, enabling them to show users advertisements tailored to previous searches.


These considerations can be applied to the present case, since as a result of the
Evidence for C.1.: The descriptions regarding cookie functions are based on the Advocate General’s opinion of 21 March 2019 in Case C-673/17 (Planet 49), para. 36 ff. Since this is a technical description of cookie functionality independent of individual cases, it was included at the factual level rather than in the legal assessment.


visit to the website www.orf.at on January 20, 2021, cookies with unique, randomly generated
C.2. R operates the website www.orf.at and decides under which conditions which cookies are set or read upon accessing the said website.


values were set and read in the bP's end device (see factual findings C.4).
Evidence for C.2.: The findings are based on R's statement dated 10 July 2023. The CP has not disputed this submission subsequently. The DPA has no reason to question R’s submission.


The cookie values (in combination with browser data and the IP address of the
C.3. The CP visited the website www.orf.at on at least 20 January 2021. The cookie banner on 20 January 2021 was designed as follows:


end device) were subsequently transmitted to the servers of the respective providers (e.g. to the provider of the advertising cookie "UserID1"
Evidence for C.3.: The findings are based on the CP’s submission of 11 August 2021 and are undisputed. The screenshot is based on the exhibit "Annex 2.png" submitted by the CP.


with the domain adfarm1.addtion.com).
C.4. As a result of the visit to the website www.orf.at on 20 January 2021, cookies were set and read on the CP’s device containing a unique, randomly generated value (Universally Unique Identifier, hereinafter "UUID").


The (factual) scope of application of the GDPR is therefore fulfilled.
The contents of exhibits "Annex 5.har" and "Annex 6.csv" form the basis for these findings.


On point 1
Evidence for C.4.: The findings are based on the CP’s submission dated 11 August 2021 and the submitted exhibits "Annex 5.har" and "Annex 6.csv". R's statement of 4 September 2023, stating that the submitted exhibits also contain information about visits to other websites (such as www.derstandard.at), is noted. However, as the CP correctly stated on 8 November 2023, the exhibits contain information about an internet visit during which several websites were accessed. Indeed, numerous entries for the URL "orf.at" can be found in the exhibits.


D.4. On the right to erasure and the obligation to notify (complaint point A)
C.5. At present, R does not store any cookie values that were set and read on the CP's device following the visit to www.orf.at on 20 January 2021. R has also informed the recipients of the data transmission (specifically the providers of the services implemented on its website) about the deletion.


As stated, the BG does not currently store the information that can be considered personal data of the bP - i.e. the IP address and the cookie values of the bP's end device.
Evidence for C.5.: These findings are based on R's statements from 28 March 2024 and 16 August 2024. Upon the DPA’s request, R stated that the relevant data (cookie values) had been deleted, and a notification had been sent to the service providers, notwithstanding the arguments presented. The CP has not disputed this claim but merely noted that no proof was provided. In the DPA's view, there is no reason to doubt R's claim, particularly as R has shown cooperation during the investigation and adjusted the cookie banner, albeit not to the complete satisfaction of all parties and the DPA. Overall, there are no investigative findings that would justify a contrary conclusion.


In addition, the recipients of the data transfer were informed of the
C.6. R has modified its cookie banner (the request for consent) on the website www.orf.at. The current design of R’s cookie banner is as follows:


erasure in accordance with Art. 19 GDPR (see fact finding C.5).
Evidence for C.6.: The findings on the cookie banner are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is also derived from the record at hand and is undisputed. The findings on the selected colors for the cookie banner and the buttons are based on an ex officio inquiry on https://encycolorpedia.de/ (last accessed on 28 October 2024). The findings on contrast ratios are based on the publicly accessible website www.orf.at and https://coolors.co/contrast-checker (last accessed on 24 October 2024). The findings regarding the ISO standard are based on the content of ISO-9241–3. The recommended contrast according to this ISO standard is also discussed on https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on 24 October 2024).


According to the case law of the Federal Administrative Court, there is also no subjective right to a determination that the
C.7. When accessing the website www.orf.at, the following cookies are set or read before any interaction with the displayed consent request (cookie banner):


rights of the data subject - here: the right to erasure - were complied with too late (cf. the
| Domain              | Cookie Name    |
|-|--|
| orf.at              | ioam2018        |
| iocnt.net            | i00            |
| orf.at              | didomi_token    |
| adfarm1.addtion.com  | UserID1        |
| www.orf.at          | _autouserid2    |


decision of the Federal Administrative Court of January 31, 2020, GZ: W258 2226305-1 mwN).
The cookie "ioam2018" contains a UUID and is used to determine statistical values regarding website usage. The provider is the Austrian Web Analysis (ÖWA), which notes on https://orf.at/stories/datenschutz-cookies/: "Stores a client hash for the Austrian Web Analysis (ÖWA) to optimize the metrics for Unique Clients and Visits. This cookie is set in the context of the domain orf.at."


At least at the time of the decision, there is therefore no violation of Art. 17 (in conjunction with Art. 19) GDPR.
The cookie "i00" also contains a UUID and serves to recognize user devices. The ÖWA’s description on https://orf.at/stories/datenschutz-cookies/ reads: "This cookie is used by the ÖWA to recognize devices. If the cookie is suppressed, the ÖWA tries to recognize the device through a combination of IP address and browser information. For apps, the ÖWA uses the so-called ‘Advertiser ID,’ unless the use of the ‘Advertiser ID’ (Advertising ID) is deactivated via device settings."


D.5. On the application for an order against the BG to stop the unlawful processing
The cookie "didomi_token" contains a UUID and serves as a consent management tool.


(Complaint point B) - 16 –
The cookie "UserID1" contains a UUID and is used to retarget users with online advertising based on interests shown on the website.


In addition, the bP has filed an application to order the BG to stop the unlawful
The cookie "_autouserid2" contains the same UUID as "UserID1." It is the first-party cookie equivalent to "UserID1" if third-party cookies are blocked.


processing.
Evidence for C.7.: The findings regarding the cookie banner and cookies set are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is derived from the record and is undisputed. The findings on the function of the cookies are based on an ex officio inquiry at the following sources (last accessed on 28 October 2024):
- https://orf.at/stories/datenschutz-cookies/ (information provided by R);
- https://oewa.at/tech-support/mcvd/ (for "ioam2018");
- https://support.didomi.io/didomi-cookies-storage-1 (for "didomi_token");
- https://www.ccm19.de/plugin.php?menuid=253&template=mv/templates/mv_show_front.html&mv_id=1&extern_meta=x&mv_content_id=139&getlang=de (for "UserID1");
- https://github.com/jkwakman/Open-Cookie-Database/blob/master/open-cookie-database.csv (also for "UserID1");
- https://www.cookie.is/UserID1# (also for "UserID1").


According to Art. 77 Para. 1 GDPR, every data subject has “[…] without prejudice to any other
D. Legal Assessment


administrative or judicial remedy, the right to lodge a complaint with a
Jurisdictional Issues 
D.1. Relationship between e-Privacy Directive and GDPR


supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers
Processing operations in a given factual context can be subject to both the provisions of Directive 2002/58/EC (e-Privacy Directive) or TKG 2021 and the GDPR. While the placement or reading of cookies is assessed under Article 5(3) of the e-Privacy Directive, subsequent data processing falls within the scope of the GDPR (see EDPB Guidelines 01/2020 on processing personal data in connection with connected vehicles and mobility-related applications, Version 2.0, paras 15 and 53).


that the processing of personal data concerning him or her infringes this Regulation.
This also aligns with the European Court of Justice (CJEU) judgment in Fashion ID. The Court found that, following the implementation of a social plugin on a website (falling under the scope of the e-Privacy Directive), the transmission of the website visitor’s data to Facebook Ireland Limited and subsequent data processing fell within the scope of the (former) Directive 95/46 GDPR (see CJEU judgment of 29 July 2019, Case C-40/17, paras 26 and 85).


It is clear from the wording of Art. 77 Para. 1 GDPR that any applications made in the context of
In comparable cases, the Federal Administrative Court has similarly held that the DPA is competent (see, inter alia, BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, with references).


a complaint procedure must relate to the person of the complaining party (“personal data concerning him or her”).
The DPA is therefore competent for the present complaint since, as a result of the placement or reading of cookies, data processing (browser data, IP addresses, cookie values) has occurred (see Finding of Facts C.4), and the application of the GDPR is not excluded per se.


As already stated, the BG does not currently store the bP's data that is the subject of the complaint, so that no remedy can be used that relates to the bP's personal data. In view of the final nature of the remedy powers under Art. 58 Para. 2 GDPR (see again the decision of the VwGH of September 1, 2022, Ra 2022/04/0066) and the wording of Art. 77 Para. 1 GDPR and Section 24 Para. 1 DSG (violates and not: "has violated" or "will violate"; English version of the GDPR: "infringes", French version of the GDPR: "constitue"), no order can be issued in the context of a complaint procedure that relates to data processing pro futuro (i.e. in the event that the bP accesses the website again in the future). It is therefore no longer necessary to address the abstractly formulated violations of the bP in connection with the
D.2. Possible Preclusion under § 24(4) DSG
cookie banner.


The complaint was therefore rejected in accordance with the ruling.
R argues that the CP’s right to have the complaint addressed is already time-barred under § 24(4) DSG.


General information on ruling point 2
In summary, R argues that its privacy policy states that it (the Public Foundation, Austrian Broadcasting Corporation) is the controller for the website www.orf.at. The CP initially filed the complaint against ORF Online and Teletext GmbH & Co KG and subsequently “replaced” R.


D.6. On the powers of remediation
It should be noted that the respondent must be specified in accordance with § 24(2)(2) DSG only insofar as is reasonable.


The data protection authority has powers of remediation pursuant to Art. 58 para. 2 lit. d GDPR, which allow it, among other things, to instruct a controller to change or carry out processing operations in a certain way
The DPA concurs with the CP’s position that the controller for the website www.orf.at was not clearly identified based on the information available at the time. Even currently, numerous legal entities of ORF are listed at https://orf.at/stories/datenschutz-verantwortliche/ (as of 28 October 2024), without specifying which processing operations each legal entity is responsible for.


and within a certain period of time.
R’s reference to the content of Annex 4, submitted by the CP, does not change this conclusion. While it is correct that ORF is designated as the controller in Annex 4, "ORF" can refer to multiple legal entities, as explained above.


Neither the GDPR, nor the DSG or the AVG stipulate that official powers may only be exercised in the context of a data protection review pursuant to Art. 58 para. 1 lit. b GDPR. - 17 –
Thus, the preclusive period of § 24(2)(2) DSG only began once the CP sufficiently clarified the controller’s identity, which occurred when the CP received R's statement on 10 July 2023. The CP subsequently clarified the respondent as R on 26 July 2023 (see VwGH decision of 27 June 2023, Ro 2023/04/0013, para. 34 on amending the respondent when designation is unreasonable).


The Federal Administrative Court has therefore already ruled that the data protection authority can also make use of its powers stipulated in Article 58 (2) GDPR in appeal proceedings (see the decision of November 16, 2022, Ref. No. W274 2237056-1/8E;
Therefore, the (absolute and subjective) preclusion period is met, and the DPA has jurisdiction to address the complaint substantively.


most recently confirmed by the decision of July 31, 2024, Ref. No. W108 2284491-1/15E).
D.3. Processing of Personal Data


The Federal Administrative Court's considerations are also in line with the case law of the
The DPA has already ruled in the Google Analytics case, in line with the case law of the European Data Protection Supervisor (EDPS), that cookies containing a unique, randomly generated value (UUID) intended to individualize or distinguish persons meet the definition of personal data under Article 4(1) GDPR. It cannot be ruled out that cookie values and the IP address of a device may be combined at any stage of the processing chain with additional information, for example, when the data subject registers on a website with an email address or real name (see DPA decision of 22 April 2022, GZ: 2022-0.298.191, available on www.dsb.gv.at; this legal view is confirmed, inter alia, by BVwG decisions of 12 May 2023, GZ: W245 2252208-1, and 26 April


European Court of Justice, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified
2024, GZ: W211 2281997-1; regarding the identification potential of “Google Analytics cookies,” see the EDPS decision against the European Parliament of 5 January 2022, GZ: 2020-1013, p. 13).


deficiencies (see the judgment of the ECJ of July 16, 2020 C-311/18, para. 111).
These considerations apply here since cookies containing unique, randomly generated values were set and read on the CP’s device as a result of visiting the website www.orf.at on 20 January 2021 (see Finding of Facts C.4). These cookie values (in combination with browser data and the IP address of the device) were then transmitted to the servers of the respective providers (such as the provider of the advertising cookie "UserID1" with the domain adfarm1.addtion.com).


The complaint in question was ultimately rejected; however, since the request for consent (the cookie banner) and the use of cookies - for the reasons set out below - are not in line with data protection requirements, an official service contract was required. With its decision on August 2, 2024, the data protection authority gave the BG the opportunity to comment on the website www.orf.at and the cookie banner. In its statement of August 16, 2024, the BG set out its view. D.7. Responsibility for the service contract and application of the GDPR Regarding the responsibility of the data protection authority and the question of the (material) scope of application of the GDPR, reference is made to the considerations under D.1. (Relationship between the e-Data Protection Directive and the GDPR) and D.3. (Processing of personal data). The considerations are also relevant for the performance contract according to point 2, since cookies are currently being used that contain a UUID and that (along with other browser data and the IP address) are transmitted to third-party servers (see factual findings C.7.). There is also no evidence that technical protective measures have been implemented to prevent this data from being linked to other additional information within the processing chain (see the ECJ judgment of October 27, 2022, C-129/21, para. 81, on the accountability and compliance obligations of a controller). It is not necessary for the BG itself to be able to establish a personal reference (see the ECJ judgment of July 29, 2019, C-40/17, para. 66 ff. with further references). Finally, the protective purpose of the
The material scope of the GDPR is therefore fulfilled.


Regulation also speaks in favor of a broad interpretation of Art. 4 Z 1 GDPR. This is to ensure a high level of protection of the fundamental rights and freedoms
D.4. Right to Erasure and Obligation to Inform (Complaint Point A)


of natural persons when processing personal data (see the judgment - 18 -
As established, R currently does not store the information that can be considered the CP’s personal data—namely, the IP address and the cookie values from the CP’s device (see Finding of Facts C.5). Furthermore, the recipients of the data transmission were notified of the deletion in accordance with Article 19 GDPR.


of the ECJ of August 1, 2022, C-184/20, para. 61). This protective purpose would be counteracted if the standard of "identifiability" is applied too narrowly.
The case law of the Federal Administrative Court (BVwG) also provides that there is no subjective right to a declaration that data subject rights—in this case, the right to erasure—were possibly fulfilled too late (see BVwG decision of 31 January 2020, GZ: W258 2226305-1, with references).


In a comparable case - at least with regard to the cookies ioam2018 and i00 - the
Therefore, at the time of the decision, there is no violation of Articles 17 and 19 GDPR.


Federal Administrative Court also assumed the scope of application of the GDPR (see again
D.5. Request for an Order against R to Cease Unlawful Processing (Complaint Point B)


the decision of the BVwG of April 26, 2024, GZ: W211 2281997-1/5E, point 3.2.1.).
The CP has also requested an order directing R to cease unlawful processing activities.


On point 2 a)
Under Article 77(1) GDPR, any data subject has "the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation."


D.8. Design of the request for consent (cookie banner)
The wording of Article 77(1) GDPR suggests that any requests submitted within a complaint procedure must pertain to the data of the complainant ("personal data relating to them").


It should be noted that instructions pursuant to Art. 58 Para. 2 lit. d GDPR can also include adjustments
As stated, R currently does not store the CP’s data subject to the complaint, meaning there is no remedy applicable to the CP’s data.


regarding requests for consent (cf. Zavadil in Knyrim, DatKomm Art. 58 GDPR
In light of the conclusive nature of the remedies available under Article 58(2) GDPR (see also VwGH ruling of 1 September 2022, Ra 2022/04/0066) and the wording of Article 77(1) GDPR and § 24(1) DSG ("infringes" and not "infringed" or "will infringe"; English version: "infringes," French version: "constitue"), no order can be issued within the scope of a complaint procedure for future data processing (i.e., if the CP visits the website again in the future).


[as of 1.7.2024, rdb.at] Art. 58 Rz 34/1 mwN).
Thus, there is no need to address the CP’s general allegations concerning the cookie banner.


To assess how the cookie banner and the interaction options are to be understood, the figure of an averagely informed, attentive and intelligent consumer must be used (see the judgment of the ECJ of July 16, 1998, C-210/96 [Gut Springenheide GmbH] para. 37; the decision of the BVwG of December 13, 2022, GZ: W214 2234934-1; Article 29-
The complaint is therefore dismissed as stated in the ruling.


Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259
General Considerations on Point 2 of the Ruling


rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Art. 12 para. 11; Illibauer in Knyrim, DatKomm Art. 12 para. 39; with regard to the DSG 2000 also Jahnel, Handbook para. 7/22 with further references).
D.6. Remedial Powers


The standard for valid consent also requires that no unfair practices are used. The person concerned may therefore not be pressured either directly or subtly to give consent. It is therefore not permitted to design the "Reject" option in such a way (e.g. color differences, different contrast ratios or positioning) that it is less prominent in comparison to the "Accept" option (see the "FAQ on cookies and data protection", available at www.dsb.gv.at, in particular questions 7 and 8; see also the EDPB Report of the work undertaken by the Cookie Banner Taskforce, p. 6, available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-
The DPA has authority under Article 58(2)(d) GDPR to issue corrective orders that may, among other things, instruct a controller to amend or carry out processing activities in a particular way within a specified period.


taskforce_en). Reference should also be made to Recital 75 of Regulation (EU) 2024/900, which states – in summary – that the decision of individuals when giving consent should not be influenced in such a way that their decision-making is distorted or impaired; although this regulation refers to political targeting, the considerations can generally be transferred to consent under data protection law, especially since the aforementioned Recital expressly refers to the GDPR. Based on this standard, the following can be noted for the website www.orf.at: - 19 – In the present case, a cookie banner is used as a request for consent for the use of cookies (and the associated processing of personal data). Specifically,
Neither the GDPR, the DSG, nor the AVG stipulate that ex officio powers may only be exercised within the scope of a data protection review under Article 58(1)(b) GDPR.


a dark blue button (hexadecimal color code #466199) with
Therefore, the Federal Administrative Court has already held that the DPA may also use the corrective powers under Article 58(2) GDPR ex officio within a complaint procedure (see BVwG decision of 16 November 2022, Zl. W274 2237056-1/8E, and most recently, BVwG decision of 31 July 2024, GZ: W108 2284491-1/15E).


“Accept all cookies” and two white buttons (hexadecimal color code #FFFFFF) with “Only
The Federal Administrative Court’s reasoning aligns with the European Court of Justice (CJEU), which has held that a supervisory authority is obligated to exercise its remedial powers in the event of identified deficiencies (see CJEU judgment of 16 July 2020, C-311/18, para. 111).


necessary cookies” and “Cookie preferences” are offered as options. The background of the cookie banner is
Although the complaint was dismissed in the outcome, since the request for consent (cookie banner) and the use of cookies—based on the reasons detailed below—do not comply with data protection requirements, a corrective order ex officio was required.


a very light shade of blue (hexadecimal color code #f0f1f4; see all of this
With a communication dated 2 August 2024, the DPA granted R the opportunity to provide a statement on the website www.orf.at and the cookie banner. In its statement dated 16 August 2024, R presented its position.


Fact finding C.6.).From the point of view of the data protection authority, however, the "Accept all cookies" button is more prominent, as its dark blue color makes it stand out much more clearly from the light blue background of the cookie banner than the other buttons with a white background. When requesting consent, the attention of data subjects is therefore primarily drawn to "Accept all cookies" due to the choice of color or contrast. This conclusion is also supported by factual finding C.6. Accordingly, the contrast of the "Accept all cookies" button to the background of the cookie banner is 5.42:1, and the contrast of the "Only necessary cookies" and "Cookie preferences" buttons to the background of the cookie banner is 1.13:1. However, as stated, ISO-9241–3 recommends a minimum contrast of 3:1. At https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on October 28, 2024) it says the following:
D.7. Competence for Corrective Order and Application of the GDPR


"A brightness contrast of 3:1 is the minimum recommended by ISO-9241-303 for easily legible text
Regarding the competence of the DPA and the applicability of the GDPR, reference is made to the considerations under D.1 (Relationship between e-Privacy Directive and GDPR) and D.3 (Processing of Personal Data).


with normal vision. A contrast of 4.5:1 is used to take into account the loss of contrast sensation resulting from moderately reduced visual acuity, color blindness or normal aging. The possibility of a personalized color setting must not result in the application no longer being easy to read in the normal view. This is because users with minor limitations usually want to use the normal view in order to be able to communicate more easily with other users. Users of black and white monitors and in environments with strong light also benefit from this success criterion." Taking all these considerations into account, it can therefore be stated that the cookie banner in question from www.orf.at (the request for consent) cannot be considered an unambiguous expression of intent within the meaning of Art. 4 Z 11 GDPR. In particular, it cannot be ruled out that data subjects selected the "Accept all cookies" option simply because they did not realize that other options were available due to the design. This result is also supported by the fact that the BG, as the party responsible for the validity of each consent, bears the burden of proof (cf. the judgment of the ECJ of July 4, 2023, C-252/21 para. 95). However, this burden of proof cannot be met with such a design of a request for consent or with such a color selection. - 20 –
These considerations are also relevant for the corrective order pursuant to Point 2 of the ruling, as cookies containing UUIDs and further browser data, along with the IP address, are still transmitted to third-party servers (see Finding of Facts C.7.).


In addition, such a misleading design does not comply with the principle of data processing
There is also no evidence of technical safeguards that would prevent the association of these data with additional information within the processing chain (see CJEU judgment of 27 October 2022, C-129/21, para. 81 on accountability and compliance obligations of controllers).


in good faith (“fairly processed”) pursuant to Art. 5 para. 1 lit. a GDPR nor with the principle of
It is unnecessary for R itself to be able to establish a personal connection (see CJEU judgment of 29 July 2019, C-40/17, paras. 66 ff with references).


privacy by design pursuant to Art. 25 para. 1 leg. cit. This
A broad interpretation of Article 4(1) GDPR is further supported by the purpose of the Regulation. Its purpose is to ensure a high level of protection of the rights and freedoms of natural persons in the processing of personal data (see CJEU judgment of 1 August 2022, C-184/20, para. 61). This objective would be undermined by applying an overly narrow standard to "identifiability."


fact also speaks in favor of the interpretation of Art. 4 Z 11 in conjunction with Art. 7 GDPR advocated by the data protection authority.
In a comparable case—at least with regard to the cookies ioam2018 and i00—the Federal Administrative Court also found the GDPR applicable (see BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, Section 3.2.1).


The BG will therefore have to redesign the request for consent. The BG will either use the same color for all buttons or it will use colors so that the above-mentioned
On Point 2(a) of the Ruling


recommendations of ISO-9241-303 regarding contrast are complied with.
D.8. Design of the Consent Request (Cookie Banner)


On point 2 b)
First, it should be noted that instructions under Article 58(2)(d) GDPR may also encompass adjustments to consent requests (see Zavadil in Knyrim, DatKomm Article 58 GDPR [as of 1 July 2024, rdb.at] Article 58 para. 34/1 with references).


D.9. On the use of cookies before interacting with the cookie banner
When assessing how the cookie banner and interaction options should be understood, the standard of a reasonably informed, attentive, and circumspect consumer must be applied (see CJEU judgment of 16 July 1998, C-210/96 [Gut Springenheide GmbH], para. 37; BVwG decision of 13 December 2022, GZ: W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Article 12 para. 11; Illibauer in Knyrim, DatKomm Article 12 para. 39; also Jahnel, Handbook, DSG 2000, para. 7/22 with references).


a) On the use of technically unnecessary cookies on the basis of the ORF-G
The standard for valid consent also requires that no unfair practices are used. The data subject must not be directly or subtly pressured into giving consent. It is therefore impermissible to design the “Reject” option in such a way (e.g., with colour differences, contrast ratios, or positioning) that it is less prominent than the “Accept” option (see "FAQs on Cookies and Data Protection," available at www.dsb.gv.at, especially Questions 7 and 8; also the EDPB Report of the Cookie Banner Taskforce, p. 6, available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-taskforce_en).


The use of cookies (and the associated processing of personal data), which
Also, Recital 75 of Regulation (EU) 2024/900 states—in summary—that individual decision-making when giving consent should not be influenced in such a way as to distort or impair decision-making; although this regulation refers to political targeting, the considerations can generally be applied to data protection consents, as this Recital explicitly references the GDPR.


are not technically absolutely necessary for the use of a website, requires prior
Based on this standard, the following can be noted for the website www.orf.at:


consent (see the decision of the VwGH of October 31, 2023, VwGH Ro 2020/04/0024; see also
In the present case, a cookie banner is used to request consent for the use of cookies (and the associated processing of personal data). Specifically, a dark blue button ("Accept All Cookies") with hex code #466199 and two white buttons ("Only necessary cookies" and "Cookie preferences") with hex code #FFFFFF are presented. The background of the cookie banner is a very light shade of blue (hex code #f0f1f4; see Finding of Facts C.6.).


Art. 29-WP Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN p. 9 ff).
In the DPA’s view, the “Accept All Cookies” button is more prominent, as it stands out more significantly from the light blue background of the cookie banner than the other white buttons. The focus of the data subject’s attention in the consent request is therefore directed towards “Accept All Cookies” due to the choice of colour and contrast.


According to the case law of the Federal Administrative Court, Art. 5 Para. 3 of Directive 2002/58/EC as amended (in conjunction with
This conclusion is supported by Finding of Facts C.6., according to which the contrast ratio between the “Accept All Cookies” button and the background of the cookie banner is 5.42:1, while the contrast ratio between the “Only necessary cookies” and “Cookie preferences” buttons and the background of the cookie banner is 1.13:1. According to ISO-9241–3, a minimum contrast ratio of 3:1 is recommended.


Section 165 Para. 3 TKG 2021) is also not to be interpreted in the sense of an “economic necessity”.
The following is stated at https://biti-wiki.de/index.php?title=1.01.0_-_


This means that, for example, advertising cookies for displaying personalized advertising are not "technically necessary" because displaying personalized advertising is necessary to finance the operation of the website (see the decision of the BVwG of March 12, 2019, GZ: W214 2223400-1).
Ausreichender_Kontrast (last accessed 28 October 2024):


To the extent that the BG refers to Sections 4e and 7 of the ORF-G with regard to data processing, it must be countered that the clear wording of Article 5, Paragraph 3 of Directive 2002/58/EC as amended (e-
"A brightness contrast of 3:1 is the minimum recommended by ISO-9241-303 for readable text with normal vision. A contrast of 4.5:1 is intended to account for the loss of contrast sensitivity due to moderately reduced visual acuity, colour blindness, or normal ageing. The ability to set personalized colours should not mean that the application in normal view is no longer easily readable. Users with minor impairments usually want to use the standard view to facilitate interaction with other users. This criterion also benefits users of black-and-white monitors and those in environments with strong light."


Data Protection Directive) requires consent for technically unnecessary cookies, which (now) must comply with the requirements of the GDPR (see Article 94, Paragraph 2 of the GDPR).
Taking all these considerations into account, the DPA finds that the current cookie banner on www.orf.at (the consent request) cannot be considered an unambiguous expression of the data subject’s will within the meaning of Article 4(11) GDPR. Specifically, it cannot be ruled out that data subjects selected the “Accept All Cookies” option simply because they did not recognize other available options due to the design.


In other words: the use of technically unnecessary cookies cannot be supported by a legal basis. It follows that the national implementation in Section 165 Para. 3
This finding is further supported by the fact that R, as the controller, bears the burden of proof for the validity of any consent obtained (see CJEU judgment of 4 July 2023, C-252/21, para. 95). However, this burden of proof cannot be met with such a design of a consent request or with the choice of colour.


TKG 2021 - according to an interpretation in line with the directive - cannot be understood in any other way.
Furthermore, such a misleading design violates the principle of fair processing under Article 5(1)(a) GDPR and the principle of data protection by design under Article 25(1) GDPR. This also supports the DPA’s interpretation of Article 4(11) in conjunction with Article 7 GDPR.


It should not be overlooked that the competence of the data protection authority is linked to the data processing
The Respondent must therefore redesign the consent request. Either the same colour should be used for all buttons, or colours should be chosen that comply with the aforementioned contrast recommendations under ISO-9241-303.


that is carried out after cookies are set or read (see point D.7.). - 21 -
On Point 2(b) of the Ruling


However, the ECJ has already stated that in the interaction between Directive 2002/58/EC
D.9. Use of Cookies before Interaction with the Cookie Banner


as amended and the GDPR, lawful data processing within the meaning of the GDPR can only be assumed
a) Use of Non-Essential Cookies Based on the ORF-G


if the requirements for lawful processing under Directive 2002/58/EC as amended are also met (see the ECJ judgment of June 17, 2021, C-597/19, para. 97 ff and
The use of cookies (and the associated processing of personal data) that are not technically essential for a website requires prior consent (see BVwG ruling of 31 October 2023, VwGH Ro 2020/04/0024; also Article 29 Working Party, Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN pp. 9 ff).


in particular para. 118 with further references).
According to the case law of the Federal Administrative Court, Article 5(3) of Directive 2002/58/EC (together with § 165(3) TKG 2021) cannot be interpreted as covering "economic necessity."


As a preliminary question for the legality of data processing according to Art. 6 Para. 1 GDPR, it must therefore be checked whether there is valid consent within the meaning of Directive 2002/58/EC as amended. If this is denied, this will also result in unlawful data processing under the GDPR. b) Regarding the cookies that are set on www.orf.at before an interaction with the cookie banner As stated, the cookie "ioam2018" is used to determine statistical values, whereby the user behavior of people on www.orf.at is determined. The cookie "i00" is used to recognize users' end devices. If the cookie "i00" is suppressed, the ÖWA attempts to recognize the device by combining the IP address and browser name. The cookie "UserID1" is used to re-target the user with online advertising based on the interest shown on the website. The associated domain is adfarm1.addtion.com. The cookie “_autouserid2” is the first-party cookie equivalent to “UserID1” if third-party cookies are blocked.
This interpretation means that advertising cookies, for instance, are not "technically necessary" simply because personalized advertising is essential for financing the website’s operation (see BVwG decision of 12 March 2019, GZ: W214 2223400-1).


Taking into account the considerations in point D.9. a), it should be noted that from a technical point of view, these cookies are not absolutely necessary to provide an information society service expressly requested by the subscriber or user. The purpose of the cookies is either to determine user behavior, to recognize users or their end devices, or to display advertising.
As far as R invokes §§ 4e and 7 ORF-G as a basis for data processing, it must be countered that the clear wording of Article 5(3) of Directive 2002/58/EC (e-Privacy Directive) requires consent for non-essential cookies, which now must comply with the requirements of the GDPR (see Article 94(2) GDPR).


This conclusion of the data protection authority also corresponds to the opinion expressed in the literature, according to which the exception “provision of an expressly requested information society service” (as well as the associated wording “absolutely necessary”) contained in (now) Section 165 Para. 3 TKG 2021 is to be interpreted restrictively. (cf. Riesz in Riesz/Schilchegger
In other words, the use of non-essential cookies cannot be based on a statutory provision. Consequently, the national implementation in § 165(3) TKG 2021 must also be understood in a manner consistent with the Directive.
[ed.], TKG (2016) § 96 Rn 48).


It follows that these cookies may not be used before (valid) consent has been given. - 22 –
It is noted that the DPA’s competence is linked to data processing occurring after cookies are set or read (see Section D.7.).


Addressee of the service contract and deadline
However, the CJEU has already clarified that, under the interaction between Directive 2002/58/EC (e-Privacy Directive) and the GDPR, processing can only be considered lawful under the GDPR if it also complies with the e-Privacy Directive (see CJEU judgment of 17 June 2021, C-597/19, paras. 97 ff, and especially para. 118, with references).


D.10. Result
For the lawfulness of processing under Article 6(1) GDPR, it is therefore necessary to determine first whether valid consent under the e-Privacy Directive has been obtained. If consent is invalid, this results in unlawful processing under the GDPR.


As established, the BG is the operator of the website in question www.orf.at and decides
b) Cookies Set on www.orf.at before Any Interaction with the Cookie Banner


which cookies are placed on its website (and, associated with this, which
As established, the cookie "ioam2018" is used to collect statistical data and to track user behavior on www.orf.at.


data processing is carried out; see statement of facts C.2.).
The cookie "i00" serves to recognize user devices. If the cookie "i00" is suppressed, ÖWA attempts to identify the device through a combination of IP address and browser information.


It follows that the BG is to be qualified as the data protection controller in accordance with Art. 4 Z 7 GDPR for the data processing in question, since it decides on the purposes and means of the data processing. The service contract therefore also had to be awarded to the BG.
The cookie "UserID1" is used to retarget the user with online advertising based on their interests shown on the website. The related domain is adfarm1.addtion.com. The "_autouserid2" cookie is the first-party equivalent of "UserID1" when third-party cookies are blocked.


From the point of view of the data protection authority, a period of six weeks is appropriate to adapt the website in question (including the cookie banner) accordingly.
In view of the considerations in Section D.9.a), these cookies are not technically essential to provide an information society service expressly requested by the user or participant. Their purpose is to track user behavior, recognize devices, or serve advertising.


The decision was therefore made in accordance with the ruling.
This conclusion aligns with the position in legal literature, which interprets the exception in § 165(3) TKG 2021—“providing an expressly requested service of the information society” and the associated requirement of “strict necessity”—as restrictive (see Riesz in Riesz/Schilchegger [eds], TKG [2016] § 96 para. 48).


LEGAL REMEDIES
It follows that these cookies must not be used before valid consent is obtained.


A written appeal against this decision can be lodged with the Federal Administrative Court within four weeks of delivery. The appeal must be lodged with the data protection authority
Addressee of the Corrective Order and Compliance Period


and must contain
D.10. Conclusion


- the name of the contested decision (reference number, subject)
As established, R operates the website www.orf.at and decides which cookies are set on the website (and the associated data processing; see Finding of Facts C.2.).


- the name of the authority concerned,
This makes R the controller under Article 4(7) GDPR for the data processing in question, as it determines the purposes and means of the processing. The corrective order was therefore addressed to R.


- the reasons on which the claim of illegality is based,
A six-week compliance period is deemed reasonable for R to adjust the website (including the cookie banner) accordingly.


- the request and
The decision was therefore made as stated in the ruling.


- the information required to assess whether the appeal was lodged in time.
Appeal Instructions


The data protection authority has the option of amending its decision within two months either by
An appeal against this decision may be filed within four weeks of delivery by submitting a written complaint to the Federal Administrative Court. The complaint must be filed with the Data Protection Authority and must include:
- the designation of the contested decision (File No., subject),
- the designation of the DPA as the authority concerned,
- the grounds for the alleged illegality,
- the request, and
- the information required to assess whether the complaint was submitted within the deadline.


a preliminary decision on the appeal or by submitting the appeal with the files of the
The DPA may, within two months, either amend its decision through an administrative appeal decision or forward the complaint along with the case files to the Federal Administrative Court.


proceedings to the Federal Administrative Court.
A complaint against this decision is subject to a fee. The fixed fee for such a submission, including annexes, is 30 Euros. The fee is payable to the Austrian Tax Office, and the designated payment purpose should be specified.


The appeal against this decision is subject to a fee. The fixed fee for a
The fee must generally be paid electronically using the “Tax Office Payment” function. The recipient should be specified as the Austrian Tax Office - Department of Special Jurisdiction (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Additionally, the tax number/assessment account number 10 999/9102, the tax type "EEE – Complaint Fee," the date of the decision as the period, and the amount must be specified.


corresponding submission including attachments is 30 euros. The fee must be paid into the account of the Austrian tax office, stating the
If the e-banking system of your bank does not support the “Tax Office Payment” function, the EPS procedure in FinanzOnline may be used. An electronic transfer can only be omitted if the taxpayer does not use an e-banking system (even if they have internet access). In that case, the payment must be made using a payment instruction, with careful attention to correct allocation. Further information can be obtained from the Tax Office and the "Electronic Payment and Payment Notification for Self-Assessed Taxes" manual.


purpose of payment.
Proof of payment must be attached to the submission to the DPA, either as a payment receipt or a printout showing that a payment instruction has been issued. Failure to pay the fee, or to pay it in full, will result in a report to the competent Tax Office.


The fee must always be transferred electronically using the “tax office payment” function. The Austrian tax office - Special Competences Department must be specified or
A timely and admissible complaint to the Federal Administrative Court has a suspensive effect. However, the suspensive effect may be excluded in the ruling of the decision or by a separate decision.


selected as the
28 October 2024 
For the Head of the Data Protection Authority:


recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the
Signed by serial number 1449622981, CN=Data Protection Authority, C=AT 
Date/Time 2024-10-28T09:44:16+01:00
</pre>
</pre>

Revision as of 08:08, 30 October 2024

DSB - D124.0507/24 2024-0.633.166
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 17 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 11.08.2021
Decided: 28.10.2024
Published:
Fine: n/a
Parties: Österreichischer Rundfunk - ORF
National Case Number/Name: D124.0507/24 2024-0.633.166
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: NOYB (in DE)
Initial Contributor: Ao

The DPA ordered a public broadcaster to adjust its website’s cookie banner since the graphic emphasis of the "accept all cookies" option invalidates the data subject’s consent under Article 6(1)(a) GDPR.

English Summary

Facts

On the 11 August 2021, the data subject, represented by noyb filed a complaint against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). The data subject visited the website of the controller (www.orf.at) on the 21 January 2021 and was confronted with a cookie banner which lacked any clear option to refuse the placement of cookies. Further, the controller had placed cookies ahead of any interaction with the cookie banner. The complaint highlighted that through the design of the cookie banner, the controller could not rely on the unambiguous consent of users for the processing of personal data and requested the erasure of their personal data gathered through the cookies.

The data subject therefore requested the DPA to order the controller to delete the data subject's personal data in accordance with Article 17 GDPR and to cease the unlawful processing of personal data of users.

Throughout the course of the proceedings, the controller revised the cookie banner and included two buttons, one to reject the placement of cookies and one to set certain preferences. The two added buttons were set with the same colour as the cookie banner background. The button to accept all cookies however was equipped with a dark blue colour.

The controller argued, that the difference in colour made the selection process easier for the user. Further, none of the data gathered through cookies was stored by the controller and during the course of the proceedings the controller informed recipients of the data subject's request for erasure.

Holding

Design of the cookie banner

Primarily, the DSB reiterated that economic necessity such as personalized advertising does not equate to the technological necessity of cookies for the functioning of the website. The cookies placed before any interaction with the cookie banner were for statistical and analytical purposes and not technologically necessary for the functioning of the website. Therefore, prior consent of the user is required.

Secondarily, in order to obtain prior consent, the DSB held that no unfair practices can be involved in the design of the cookie banner. Specifically, the button to reject the use of cookies cannot be made less prominent than the accept button. The DSB stated that the decision making process of the data subject shall not be distorted or impaired in any way. The revised cookie banner showed a prominent dark blue colour for the accept all cookie button while the other two options of setting preferences and accepting only necessary cookies were given a pale white colour which blended into the cookie banner background. The DSB concluded that the contrast is the deciding factor and points out that a 3:1 minimal contrast is required. This resulted in the DSB’s reasoning that no unambiguous expression of agreement as defined in Article 4(11) GDPR was given by the data subject.

In relation to the design of the cookie banner, the DSB ordered the controller to adjust the banner within a period of six weeks to ensure equal prominence of all cookie selection options. The DSB declared that the controller must ensure equal design in regard to colour, size, contrast, placement and prominence of the buttons. It detailed that it is unlawful to emphasize any of the options through overly conspicuous design such as a different colour, larger font or more prominent placement.

Right to erasure and order to comply

Regarding the processing of personal data of the data subject, the DSB accepted that the controller did not store the personal data collected through cookies and that it had informed the recipients of the request for erasure and therefore found no violation of Article 17 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Barichgasse 40-42  
A-1030 Vienna  
Tel.: +43-1-52152 302549  
E-Mail: dsb@dsb.gv.at  
File No.: D124.0507/24   2024-0.633.166  
Officer in Charge:
For the attention of NOYB  
Data Protection Complaint (Article 77(1) GDPR, § 24(1) DSG)  
Against  
Austrian Broadcasting Corporation (ORF)  
Delivered via Email

Decision  
Ruling

The Data Protection Authority (DPA) hereby issues a decision concerning the data protection complaint lodged by (complainant), represented by NOYB – European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, dated 11 August 2021, against the Public Foundation, Austrian Broadcasting Corporation (Respondent), represented by Schönherr Rechtsanwälte GmbH, regarding (A) the right to erasure and the obligation to inform about the erasure, and (B) the request to order the Respondent to cease unlawful processing activities, as follows:

1) The complaint is dismissed.
2) The Respondent is hereby ordered ex officio to, within six weeks,
   a) modify the consent request (cookie banner, see Finding of Facts C.6.) on the website www.orf.at to ensure that valid consent is obtained upon visiting the website. To this end, the Respondent must modify the cookie banner to provide the data subject with an equal choice on the first level of the cookie banner between "Accept all cookies" and "Only necessary cookies". It must be ensured that both options are designed equally in terms of visual appearance, including color, size, contrast, placement, and emphasis. It is not permissible to highlight one of the options through an excessively prominent design, such as preferred color, larger font size, or more prominent placement.
   b) modify the website www.orf.at to ensure that the following cookies are not set prior to obtaining consent upon visiting this website:
      i) ioam2018 (see Finding of Facts C.7.);
      ii) i00 (see Finding of Facts C.7.);
      iii) UserID1 (see Finding of Facts C.7.);
      iv) autouserid2 (see Finding of Facts C.7.).

Legal Basis: Articles 4(11), 5(1)(a), 7, 12(1), 17, 19, 57(1)(f), 58(2) and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ L 119, 4.5.2016, p. 1; §§ 18(1) and 24(1), (2)(5), (4) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 165 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended; § 1(1) of the Austrian Broadcasting Act (ORF-G), Federal Law Gazette No. 379/1984 as amended.

Reasoning

A. Submissions of the Parties and Procedural History  
A.1. In their submission dated 11 August 2021, the complainant (hereinafter referred to as “CP”) summarised as follows:

The CP visited the Respondent's website (hereinafter "R") at www.orf.at on 20 January 2021. The website displayed a cookie banner, and cookies were set, some containing a unique user identification number. A summary of all HTTP requests and responses was attached as an annex. For all processing activities that R sought to justify based on the cookie banner, the term "relevant processing activities" is used. Several violations occurred due to the design of the mentioned cookie banner, and valid consent could not be assumed. The CP requested that R be instructed to cease all relevant processing activities and delete all relevant personal data. The GDPR permits the supervisory authority to issue an order that goes beyond the personal data of the CP. This complaint (case number C-037-401) was directed against ORF Online and Teletext GmbH & Co KG. Several annexes were attached to the submission.

A.2. In their response dated 10 July 2023, ORF Online and Teletext GmbH & Co KG summarised as follows:

The Austrian Broadcasting Corporation is responsible for storing cookie values and other device information, as evidenced by the cookie policy. However, ORF Online and Teletext GmbH & Co KG is not responsible.

A.3. In a further statement dated 26 July 2023, the CP summarised as follows:

Following ORF Online and Teletext GmbH & Co KG's response, the complaint is directed against R (Austrian Broadcasting Corporation). The online list of controllers and processors at https://orf.at/stories/datenschutz-verantwortliche/ does not indicate which legal entity is responsible for which data processing.

A.4. In their statement dated 4 September 2023, R summarised as follows:

The change of Respondent is impermissible due to preclusion, as the subjective preclusive period has elapsed. An ex officio correction of the designation is impermissible. The CP's applications are likewise inadmissible as none of the applications made in the data protection complaint were lawfully implemented. The CP did not specify the facts, and it would be unreasonable to review the .har file (Annex 5), which contains approximately 17,000 lines. Nevertheless, R reviewed the file, and most cookies were not set by R but by the domain "derstandard.at". There was no cooperation with "derstandard.at" at the time of the complaint. The CP also did not apply for deletion. The complaint is also substantively unfounded. It is also to be assumed that the CP visited the website only to generate an automatically generated complaint. The complaint is not a personal exercise of rights but rather an inadmissible association complaint. Furthermore, R responded to the DPA’s inquiries.

A.5. In a statement dated 8 November 2023, the CP summarised as follows:

The CP refers to previous submissions, stating that the online list of controllers and processors of ORF does not make it clear which legal entities of ORF are responsible for which data processing. Thus, the complaint was initially directed at the party presumed to be the operator of the website www.orf.at. The information is still available today that ORF Online and Teletext GmbH & Co KG is responsible for www.orf.at. Furthermore, the complaint was submitted within the time limit, and the applications made are admissible. It was merely indicated that the DPA could issue orders beyond the complainant (presumably the complainant’s data). Concerning the .har file, it is noted that it also contains visits to "derstandard.at". This is relevant to show that this was a "normal" internet visit, during which multiple websites were visited. A URL search for orf.at yielded 357 results. A direct or indirect correlation exists. An application for deletion is not required to assert the right to erasure. The cookie banner continues to fail to meet data protection requirements.

A.6. In a statement dated 28 March 2024, R summarised as follows:

The CP submitted Annex 4 as part of the complaint. It is assumed that the CP is aware of the content of Annex 4. In Annex 4, ORF is expressly designated as the controller. The designation of the party (i.e., the original designation of the Respondent) cannot be interpreted otherwise due to its explicitness. However, this can remain undecided since, as already stated in the statement dated 4 September 2023, the CP’s deletion request was granted. The procedure is to be discontinued according to § 24(6) DSG. As for the alleged continuous legal infringement, this does not constitute a change to the initial complaint, as such a change would be impermissible due to preclusion. The submission cannot be regarded as a new complaint, as the CP’s statement shows that they intend to maintain the original data protection complaint. The reference to the "IDE" cookie does not change the preclusion. The CP did not even claim that the same "IDE cookie value" was stored in the browser at the time in question (20 January 2021). In summary, the CP’s deletion request was granted. R also overhauled the entire ORF website (including the cookie banner).

A.7. In a statement dated 17 April 2024, the CP essentially reiterated the previous submissions.

A.8. In a communication dated 2 August 2024, the DPA requested that R provide a statement within two weeks and submit or specify any suitable evidence to substantiate its submissions. The DPA highlighted the following issues (excerpt):

"Subject: Request for Statement
The DPA hereby transmits the CP’s statement dated 17 April 2024. In the meantime, the DPA has noted the changes on the website www.orf.at.
You are requested to provide a statement on the CP’s submission and the following points:
   - Why are the cookies "ioam2018" and "i00" set before consent is given? If § 7 ORF-G is cited in this regard, please explain how this complies with § 165(3) TKG 2021 and Art. 5(3) of Directive 2002/58/EC.
   - Why is the "Accept All Cookies" button coloured blue, while the other buttons lack

 any distinctive colour?"

A.9. In a statement dated 16 August 2024, R summarised as follows:

The "Accept All Cookies" button is coloured blue because the entire website primarily uses the colours white and blue. The contrast facilitates selection for users. The white buttons are also clearly distinguished from the light grey background. The lawfulness of the data processing in question derives from the legal obligation of R to measure reach under §§ 4e, 7 ORF-G. Measurement is essential to fulfil the statutory mandate. The data collection by the cookies "ioam2018" and "i00" is based, as a precaution, on both the legal basis of compliance with a legal obligation and the exercise of a task carried out in the public interest. R has instructed the Austrian Web Analysis (ÖWA), which acts as a service provider for R, to delete the corresponding cookie values. Furthermore, these cookie values are not personal data. The DPA is not competent for enforcing § 165(3) TKG 2021.

A.10. In a statement dated 28 March 2024, the CP summarised as follows:

According to the CP, the design of the cookie banner and the colours chosen for the buttons are misleading. Colour design has a significant impact on user choice, which has been academically proven. The norms cited by R do not provide an adequate basis for data processing, as the ORF-G does not stipulate how reach is to be measured. Other options than tracking cookies are available. Furthermore, the cookies "ioam2018" and "i00" (or their values) are legally considered personal data.

B. Subject of the Complaint  
B.1. Based on the CP’s submissions, it must be decided whether R is to be ordered to delete the CP’s personal data (cookie values) and to notify the recipients of this deletion, as well as to cease the "relevant processing activities".
The "relevant processing activities" refer to cookies (and similar technologies) used during the CP’s visit to www.orf.at on 20 January 2021.
B.2. However, it must first be examined whether, as R argues, the complaint is already time-barred under § 24(4) DSG.

C. Findings of Facts  
C.1. Cookies allow information generated by a website to be stored and saved via the user’s browser. It is a small file or text information (generally less than 1 KB) that a website places on a user’s computer or mobile device through the browser.
A cookie allows the website to "remember" the user’s actions or preferences. Most web browsers support cookies, but users can set their browsers to reject cookies and can delete them at any time.
Websites use cookies to identify users, remember their preferences, and enable users to complete tasks without re-entering information when switching pages or returning to the website.
Cookies can also be used to collect information based on online behaviour for targeted advertising and marketing. For example, companies use software to track user behaviour and create personal profiles, enabling them to show users advertisements tailored to previous searches.

Evidence for C.1.: The descriptions regarding cookie functions are based on the Advocate General’s opinion of 21 March 2019 in Case C-673/17 (Planet 49), para. 36 ff. Since this is a technical description of cookie functionality independent of individual cases, it was included at the factual level rather than in the legal assessment.

C.2. R operates the website www.orf.at and decides under which conditions which cookies are set or read upon accessing the said website.

Evidence for C.2.: The findings are based on R's statement dated 10 July 2023. The CP has not disputed this submission subsequently. The DPA has no reason to question R’s submission.

C.3. The CP visited the website www.orf.at on at least 20 January 2021. The cookie banner on 20 January 2021 was designed as follows:

Evidence for C.3.: The findings are based on the CP’s submission of 11 August 2021 and are undisputed. The screenshot is based on the exhibit "Annex 2.png" submitted by the CP.

C.4. As a result of the visit to the website www.orf.at on 20 January 2021, cookies were set and read on the CP’s device containing a unique, randomly generated value (Universally Unique Identifier, hereinafter "UUID").

The contents of exhibits "Annex 5.har" and "Annex 6.csv" form the basis for these findings.

Evidence for C.4.: The findings are based on the CP’s submission dated 11 August 2021 and the submitted exhibits "Annex 5.har" and "Annex 6.csv". R's statement of 4 September 2023, stating that the submitted exhibits also contain information about visits to other websites (such as www.derstandard.at), is noted. However, as the CP correctly stated on 8 November 2023, the exhibits contain information about an internet visit during which several websites were accessed. Indeed, numerous entries for the URL "orf.at" can be found in the exhibits.

C.5. At present, R does not store any cookie values that were set and read on the CP's device following the visit to www.orf.at on 20 January 2021. R has also informed the recipients of the data transmission (specifically the providers of the services implemented on its website) about the deletion.

Evidence for C.5.: These findings are based on R's statements from 28 March 2024 and 16 August 2024. Upon the DPA’s request, R stated that the relevant data (cookie values) had been deleted, and a notification had been sent to the service providers, notwithstanding the arguments presented. The CP has not disputed this claim but merely noted that no proof was provided. In the DPA's view, there is no reason to doubt R's claim, particularly as R has shown cooperation during the investigation and adjusted the cookie banner, albeit not to the complete satisfaction of all parties and the DPA. Overall, there are no investigative findings that would justify a contrary conclusion.

C.6. R has modified its cookie banner (the request for consent) on the website www.orf.at. The current design of R’s cookie banner is as follows:

Evidence for C.6.: The findings on the cookie banner are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is also derived from the record at hand and is undisputed. The findings on the selected colors for the cookie banner and the buttons are based on an ex officio inquiry on https://encycolorpedia.de/ (last accessed on 28 October 2024). The findings on contrast ratios are based on the publicly accessible website www.orf.at and https://coolors.co/contrast-checker (last accessed on 24 October 2024). The findings regarding the ISO standard are based on the content of ISO-9241–3. The recommended contrast according to this ISO standard is also discussed on https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on 24 October 2024).

C.7. When accessing the website www.orf.at, the following cookies are set or read before any interaction with the displayed consent request (cookie banner):

| Domain               | Cookie Name     |
|-|--|
| orf.at               | ioam2018        |
| iocnt.net            | i00             |
| orf.at               | didomi_token    |
| adfarm1.addtion.com  | UserID1         |
| www.orf.at           | _autouserid2    |

The cookie "ioam2018" contains a UUID and is used to determine statistical values regarding website usage. The provider is the Austrian Web Analysis (ÖWA), which notes on https://orf.at/stories/datenschutz-cookies/: "Stores a client hash for the Austrian Web Analysis (ÖWA) to optimize the metrics for Unique Clients and Visits. This cookie is set in the context of the domain orf.at."

The cookie "i00" also contains a UUID and serves to recognize user devices. The ÖWA’s description on https://orf.at/stories/datenschutz-cookies/ reads: "This cookie is used by the ÖWA to recognize devices. If the cookie is suppressed, the ÖWA tries to recognize the device through a combination of IP address and browser information. For apps, the ÖWA uses the so-called ‘Advertiser ID,’ unless the use of the ‘Advertiser ID’ (Advertising ID) is deactivated via device settings."

The cookie "didomi_token" contains a UUID and serves as a consent management tool.

The cookie "UserID1" contains a UUID and is used to retarget users with online advertising based on interests shown on the website.

The cookie "_autouserid2" contains the same UUID as "UserID1." It is the first-party cookie equivalent to "UserID1" if third-party cookies are blocked.

Evidence for C.7.: The findings regarding the cookie banner and cookies set are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is derived from the record and is undisputed. The findings on the function of the cookies are based on an ex officio inquiry at the following sources (last accessed on 28 October 2024):
- https://orf.at/stories/datenschutz-cookies/ (information provided by R);
- https://oewa.at/tech-support/mcvd/ (for "ioam2018");
- https://support.didomi.io/didomi-cookies-storage-1 (for "didomi_token");
- https://www.ccm19.de/plugin.php?menuid=253&template=mv/templates/mv_show_front.html&mv_id=1&extern_meta=x&mv_content_id=139&getlang=de (for "UserID1");
- https://github.com/jkwakman/Open-Cookie-Database/blob/master/open-cookie-database.csv (also for "UserID1");
- https://www.cookie.is/UserID1# (also for "UserID1").

D. Legal Assessment

Jurisdictional Issues  
D.1. Relationship between e-Privacy Directive and GDPR

Processing operations in a given factual context can be subject to both the provisions of Directive 2002/58/EC (e-Privacy Directive) or TKG 2021 and the GDPR. While the placement or reading of cookies is assessed under Article 5(3) of the e-Privacy Directive, subsequent data processing falls within the scope of the GDPR (see EDPB Guidelines 01/2020 on processing personal data in connection with connected vehicles and mobility-related applications, Version 2.0, paras 15 and 53).

This also aligns with the European Court of Justice (CJEU) judgment in Fashion ID. The Court found that, following the implementation of a social plugin on a website (falling under the scope of the e-Privacy Directive), the transmission of the website visitor’s data to Facebook Ireland Limited and subsequent data processing fell within the scope of the (former) Directive 95/46 GDPR (see CJEU judgment of 29 July 2019, Case C-40/17, paras 26 and 85).

In comparable cases, the Federal Administrative Court has similarly held that the DPA is competent (see, inter alia, BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, with references).

The DPA is therefore competent for the present complaint since, as a result of the placement or reading of cookies, data processing (browser data, IP addresses, cookie values) has occurred (see Finding of Facts C.4), and the application of the GDPR is not excluded per se.

D.2. Possible Preclusion under § 24(4) DSG

R argues that the CP’s right to have the complaint addressed is already time-barred under § 24(4) DSG.

In summary, R argues that its privacy policy states that it (the Public Foundation, Austrian Broadcasting Corporation) is the controller for the website www.orf.at. The CP initially filed the complaint against ORF Online and Teletext GmbH & Co KG and subsequently “replaced” R.

It should be noted that the respondent must be specified in accordance with § 24(2)(2) DSG only insofar as is reasonable.

The DPA concurs with the CP’s position that the controller for the website www.orf.at was not clearly identified based on the information available at the time. Even currently, numerous legal entities of ORF are listed at https://orf.at/stories/datenschutz-verantwortliche/ (as of 28 October 2024), without specifying which processing operations each legal entity is responsible for.

R’s reference to the content of Annex 4, submitted by the CP, does not change this conclusion. While it is correct that ORF is designated as the controller in Annex 4, "ORF" can refer to multiple legal entities, as explained above.

Thus, the preclusive period of § 24(2)(2) DSG only began once the CP sufficiently clarified the controller’s identity, which occurred when the CP received R's statement on 10 July 2023. The CP subsequently clarified the respondent as R on 26 July 2023 (see VwGH decision of 27 June 2023, Ro 2023/04/0013, para. 34 on amending the respondent when designation is unreasonable).

Therefore, the (absolute and subjective) preclusion period is met, and the DPA has jurisdiction to address the complaint substantively.

D.3. Processing of Personal Data

The DPA has already ruled in the Google Analytics case, in line with the case law of the European Data Protection Supervisor (EDPS), that cookies containing a unique, randomly generated value (UUID) intended to individualize or distinguish persons meet the definition of personal data under Article 4(1) GDPR. It cannot be ruled out that cookie values and the IP address of a device may be combined at any stage of the processing chain with additional information, for example, when the data subject registers on a website with an email address or real name (see DPA decision of 22 April 2022, GZ: 2022-0.298.191, available on www.dsb.gv.at; this legal view is confirmed, inter alia, by BVwG decisions of 12 May 2023, GZ: W245 2252208-1, and 26 April

 2024, GZ: W211 2281997-1; regarding the identification potential of “Google Analytics cookies,” see the EDPS decision against the European Parliament of 5 January 2022, GZ: 2020-1013, p. 13).

These considerations apply here since cookies containing unique, randomly generated values were set and read on the CP’s device as a result of visiting the website www.orf.at on 20 January 2021 (see Finding of Facts C.4). These cookie values (in combination with browser data and the IP address of the device) were then transmitted to the servers of the respective providers (such as the provider of the advertising cookie "UserID1" with the domain adfarm1.addtion.com).

The material scope of the GDPR is therefore fulfilled.

D.4. Right to Erasure and Obligation to Inform (Complaint Point A)

As established, R currently does not store the information that can be considered the CP’s personal data—namely, the IP address and the cookie values from the CP’s device (see Finding of Facts C.5). Furthermore, the recipients of the data transmission were notified of the deletion in accordance with Article 19 GDPR.

The case law of the Federal Administrative Court (BVwG) also provides that there is no subjective right to a declaration that data subject rights—in this case, the right to erasure—were possibly fulfilled too late (see BVwG decision of 31 January 2020, GZ: W258 2226305-1, with references).

Therefore, at the time of the decision, there is no violation of Articles 17 and 19 GDPR.

D.5. Request for an Order against R to Cease Unlawful Processing (Complaint Point B)

The CP has also requested an order directing R to cease unlawful processing activities.

Under Article 77(1) GDPR, any data subject has "the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation."

The wording of Article 77(1) GDPR suggests that any requests submitted within a complaint procedure must pertain to the data of the complainant ("personal data relating to them").

As stated, R currently does not store the CP’s data subject to the complaint, meaning there is no remedy applicable to the CP’s data.

In light of the conclusive nature of the remedies available under Article 58(2) GDPR (see also VwGH ruling of 1 September 2022, Ra 2022/04/0066) and the wording of Article 77(1) GDPR and § 24(1) DSG ("infringes" and not "infringed" or "will infringe"; English version: "infringes," French version: "constitue"), no order can be issued within the scope of a complaint procedure for future data processing (i.e., if the CP visits the website again in the future).

Thus, there is no need to address the CP’s general allegations concerning the cookie banner.

The complaint is therefore dismissed as stated in the ruling.

General Considerations on Point 2 of the Ruling

D.6. Remedial Powers

The DPA has authority under Article 58(2)(d) GDPR to issue corrective orders that may, among other things, instruct a controller to amend or carry out processing activities in a particular way within a specified period.

Neither the GDPR, the DSG, nor the AVG stipulate that ex officio powers may only be exercised within the scope of a data protection review under Article 58(1)(b) GDPR.

Therefore, the Federal Administrative Court has already held that the DPA may also use the corrective powers under Article 58(2) GDPR ex officio within a complaint procedure (see BVwG decision of 16 November 2022, Zl. W274 2237056-1/8E, and most recently, BVwG decision of 31 July 2024, GZ: W108 2284491-1/15E).

The Federal Administrative Court’s reasoning aligns with the European Court of Justice (CJEU), which has held that a supervisory authority is obligated to exercise its remedial powers in the event of identified deficiencies (see CJEU judgment of 16 July 2020, C-311/18, para. 111).

Although the complaint was dismissed in the outcome, since the request for consent (cookie banner) and the use of cookies—based on the reasons detailed below—do not comply with data protection requirements, a corrective order ex officio was required.

With a communication dated 2 August 2024, the DPA granted R the opportunity to provide a statement on the website www.orf.at and the cookie banner. In its statement dated 16 August 2024, R presented its position.

D.7. Competence for Corrective Order and Application of the GDPR

Regarding the competence of the DPA and the applicability of the GDPR, reference is made to the considerations under D.1 (Relationship between e-Privacy Directive and GDPR) and D.3 (Processing of Personal Data).

These considerations are also relevant for the corrective order pursuant to Point 2 of the ruling, as cookies containing UUIDs and further browser data, along with the IP address, are still transmitted to third-party servers (see Finding of Facts C.7.).

There is also no evidence of technical safeguards that would prevent the association of these data with additional information within the processing chain (see CJEU judgment of 27 October 2022, C-129/21, para. 81 on accountability and compliance obligations of controllers).

It is unnecessary for R itself to be able to establish a personal connection (see CJEU judgment of 29 July 2019, C-40/17, paras. 66 ff with references).

A broad interpretation of Article 4(1) GDPR is further supported by the purpose of the Regulation. Its purpose is to ensure a high level of protection of the rights and freedoms of natural persons in the processing of personal data (see CJEU judgment of 1 August 2022, C-184/20, para. 61). This objective would be undermined by applying an overly narrow standard to "identifiability."

In a comparable case—at least with regard to the cookies ioam2018 and i00—the Federal Administrative Court also found the GDPR applicable (see BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, Section 3.2.1).

On Point 2(a) of the Ruling

D.8. Design of the Consent Request (Cookie Banner)

First, it should be noted that instructions under Article 58(2)(d) GDPR may also encompass adjustments to consent requests (see Zavadil in Knyrim, DatKomm Article 58 GDPR [as of 1 July 2024, rdb.at] Article 58 para. 34/1 with references).

When assessing how the cookie banner and interaction options should be understood, the standard of a reasonably informed, attentive, and circumspect consumer must be applied (see CJEU judgment of 16 July 1998, C-210/96 [Gut Springenheide GmbH], para. 37; BVwG decision of 13 December 2022, GZ: W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Article 12 para. 11; Illibauer in Knyrim, DatKomm Article 12 para. 39; also Jahnel, Handbook, DSG 2000, para. 7/22 with references).

The standard for valid consent also requires that no unfair practices are used. The data subject must not be directly or subtly pressured into giving consent. It is therefore impermissible to design the “Reject” option in such a way (e.g., with colour differences, contrast ratios, or positioning) that it is less prominent than the “Accept” option (see "FAQs on Cookies and Data Protection," available at www.dsb.gv.at, especially Questions 7 and 8; also the EDPB Report of the Cookie Banner Taskforce, p. 6, available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-taskforce_en).

Also, Recital 75 of Regulation (EU) 2024/900 states—in summary—that individual decision-making when giving consent should not be influenced in such a way as to distort or impair decision-making; although this regulation refers to political targeting, the considerations can generally be applied to data protection consents, as this Recital explicitly references the GDPR.

Based on this standard, the following can be noted for the website www.orf.at:

In the present case, a cookie banner is used to request consent for the use of cookies (and the associated processing of personal data). Specifically, a dark blue button ("Accept All Cookies") with hex code #466199 and two white buttons ("Only necessary cookies" and "Cookie preferences") with hex code #FFFFFF are presented. The background of the cookie banner is a very light shade of blue (hex code #f0f1f4; see Finding of Facts C.6.).

In the DPA’s view, the “Accept All Cookies” button is more prominent, as it stands out more significantly from the light blue background of the cookie banner than the other white buttons. The focus of the data subject’s attention in the consent request is therefore directed towards “Accept All Cookies” due to the choice of colour and contrast.

This conclusion is supported by Finding of Facts C.6., according to which the contrast ratio between the “Accept All Cookies” button and the background of the cookie banner is 5.42:1, while the contrast ratio between the “Only necessary cookies” and “Cookie preferences” buttons and the background of the cookie banner is 1.13:1. According to ISO-9241–3, a minimum contrast ratio of 3:1 is recommended.

The following is stated at https://biti-wiki.de/index.php?title=1.01.0_-_

Ausreichender_Kontrast (last accessed 28 October 2024):

"A brightness contrast of 3:1 is the minimum recommended by ISO-9241-303 for readable text with normal vision. A contrast of 4.5:1 is intended to account for the loss of contrast sensitivity due to moderately reduced visual acuity, colour blindness, or normal ageing. The ability to set personalized colours should not mean that the application in normal view is no longer easily readable. Users with minor impairments usually want to use the standard view to facilitate interaction with other users. This criterion also benefits users of black-and-white monitors and those in environments with strong light."

Taking all these considerations into account, the DPA finds that the current cookie banner on www.orf.at (the consent request) cannot be considered an unambiguous expression of the data subject’s will within the meaning of Article 4(11) GDPR. Specifically, it cannot be ruled out that data subjects selected the “Accept All Cookies” option simply because they did not recognize other available options due to the design.

This finding is further supported by the fact that R, as the controller, bears the burden of proof for the validity of any consent obtained (see CJEU judgment of 4 July 2023, C-252/21, para. 95). However, this burden of proof cannot be met with such a design of a consent request or with the choice of colour.

Furthermore, such a misleading design violates the principle of fair processing under Article 5(1)(a) GDPR and the principle of data protection by design under Article 25(1) GDPR. This also supports the DPA’s interpretation of Article 4(11) in conjunction with Article 7 GDPR.

The Respondent must therefore redesign the consent request. Either the same colour should be used for all buttons, or colours should be chosen that comply with the aforementioned contrast recommendations under ISO-9241-303.

On Point 2(b) of the Ruling

D.9. Use of Cookies before Interaction with the Cookie Banner

a) Use of Non-Essential Cookies Based on the ORF-G

The use of cookies (and the associated processing of personal data) that are not technically essential for a website requires prior consent (see BVwG ruling of 31 October 2023, VwGH Ro 2020/04/0024; also Article 29 Working Party, Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN pp. 9 ff).

According to the case law of the Federal Administrative Court, Article 5(3) of Directive 2002/58/EC (together with § 165(3) TKG 2021) cannot be interpreted as covering "economic necessity."

This interpretation means that advertising cookies, for instance, are not "technically necessary" simply because personalized advertising is essential for financing the website’s operation (see BVwG decision of 12 March 2019, GZ: W214 2223400-1).

As far as R invokes §§ 4e and 7 ORF-G as a basis for data processing, it must be countered that the clear wording of Article 5(3) of Directive 2002/58/EC (e-Privacy Directive) requires consent for non-essential cookies, which now must comply with the requirements of the GDPR (see Article 94(2) GDPR).

In other words, the use of non-essential cookies cannot be based on a statutory provision. Consequently, the national implementation in § 165(3) TKG 2021 must also be understood in a manner consistent with the Directive.

It is noted that the DPA’s competence is linked to data processing occurring after cookies are set or read (see Section D.7.).

However, the CJEU has already clarified that, under the interaction between Directive 2002/58/EC (e-Privacy Directive) and the GDPR, processing can only be considered lawful under the GDPR if it also complies with the e-Privacy Directive (see CJEU judgment of 17 June 2021, C-597/19, paras. 97 ff, and especially para. 118, with references).

For the lawfulness of processing under Article 6(1) GDPR, it is therefore necessary to determine first whether valid consent under the e-Privacy Directive has been obtained. If consent is invalid, this results in unlawful processing under the GDPR.

b) Cookies Set on www.orf.at before Any Interaction with the Cookie Banner

As established, the cookie "ioam2018" is used to collect statistical data and to track user behavior on www.orf.at.

The cookie "i00" serves to recognize user devices. If the cookie "i00" is suppressed, ÖWA attempts to identify the device through a combination of IP address and browser information.

The cookie "UserID1" is used to retarget the user with online advertising based on their interests shown on the website. The related domain is adfarm1.addtion.com. The "_autouserid2" cookie is the first-party equivalent of "UserID1" when third-party cookies are blocked.

In view of the considerations in Section D.9.a), these cookies are not technically essential to provide an information society service expressly requested by the user or participant. Their purpose is to track user behavior, recognize devices, or serve advertising.

This conclusion aligns with the position in legal literature, which interprets the exception in § 165(3) TKG 2021—“providing an expressly requested service of the information society” and the associated requirement of “strict necessity”—as restrictive (see Riesz in Riesz/Schilchegger [eds], TKG [2016] § 96 para. 48).

It follows that these cookies must not be used before valid consent is obtained.

Addressee of the Corrective Order and Compliance Period

D.10. Conclusion

As established, R operates the website www.orf.at and decides which cookies are set on the website (and the associated data processing; see Finding of Facts C.2.).

This makes R the controller under Article 4(7) GDPR for the data processing in question, as it determines the purposes and means of the processing. The corrective order was therefore addressed to R.

A six-week compliance period is deemed reasonable for R to adjust the website (including the cookie banner) accordingly.

The decision was therefore made as stated in the ruling.

Appeal Instructions

An appeal against this decision may be filed within four weeks of delivery by submitting a written complaint to the Federal Administrative Court. The complaint must be filed with the Data Protection Authority and must include:
- the designation of the contested decision (File No., subject),
- the designation of the DPA as the authority concerned,
- the grounds for the alleged illegality,
- the request, and
- the information required to assess whether the complaint was submitted within the deadline.

The DPA may, within two months, either amend its decision through an administrative appeal decision or forward the complaint along with the case files to the Federal Administrative Court.

A complaint against this decision is subject to a fee. The fixed fee for such a submission, including annexes, is 30 Euros. The fee is payable to the Austrian Tax Office, and the designated payment purpose should be specified.

The fee must generally be paid electronically using the “Tax Office Payment” function. The recipient should be specified as the Austrian Tax Office - Department of Special Jurisdiction (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Additionally, the tax number/assessment account number 10 999/9102, the tax type "EEE – Complaint Fee," the date of the decision as the period, and the amount must be specified.

If the e-banking system of your bank does not support the “Tax Office Payment” function, the EPS procedure in FinanzOnline may be used. An electronic transfer can only be omitted if the taxpayer does not use an e-banking system (even if they have internet access). In that case, the payment must be made using a payment instruction, with careful attention to correct allocation. Further information can be obtained from the Tax Office and the "Electronic Payment and Payment Notification for Self-Assessed Taxes" manual.

Proof of payment must be attached to the submission to the DPA, either as a payment receipt or a printout showing that a payment instruction has been issued. Failure to pay the fee, or to pay it in full, will result in a report to the competent Tax Office.

A timely and admissible complaint to the Federal Administrative Court has a suspensive effect. However, the suspensive effect may be excluded in the ruling of the decision or by a separate decision.

28 October 2024  
For the Head of the Data Protection Authority:

Signed by serial number 1449622981, CN=Data Protection Authority, C=AT  
Date/Time 2024-10-28T09:44:16+01:00