APD/GBA (Belgium) - 11/2022
APD/GBA (Belgium) - 11/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 5.3 ePrivacy Directive |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 21.02.2022 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 11/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-11-2022.pdf (in FR) |
Initial Contributor: | Matthias Smet |
The belgian DPA issued a reprimand to a website owner for violating Article 12 and Article 13 GDPR and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to. On top of that, the belgian DPA also shares some interesting insights regarding the processing of cookies.
English Summary
Facts
Activities of the defendant:
Defendant owns a website 'YourOnlineChoices', through which you can control your ad experience online. during browsing the web and visiting different websites, you can control which non-essential (e.g. for advertising purposes) cookies you accept or refuse. If you choose to turn off interest-based advertising, you will still see advertisements on the internet. Disabling it only ensures that the online advertisements you see are not adapted to your suspected interests or preferences on your web browser
Summary of the complaint: The Belgian DPA received a complaint via the Internal Market Information (IMI) system from the Berlin DPA regarding illigitimate use of cookies on a website. The complainant raises in his complaint that (i) the tool for selecting advertising preferences does not work (cookie opt-out option for third parties does not work) and consent is thus not freely given; (ii) the website forces the user to accept cookies in order to be able to select his advertising preferences.
Cross-border processing:
According to Article 56 GDPR "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA is competent because the defendant has its sole place of business in Belgium, but its activities substantially affect or are likely to affect data subjects in several Member States, including Germany.
Use of cookies without prior information given to the user (violation transparency principle - Article 5 GDPR) - UPHELD
The DPA recalls that the purpose of the transparency principle is that the data subject should be able to determine in advance what the scope and consequences of the processing encompass. The means that the controller must at least provide information on the duration of the operation of cookies, whether the cookie is first or third party.
When viewing the website, investigation showed that a cookie was already loaded in the browser, before any information could be delivered to the user, since it was technically impossible to display the necessary information in the user's language. The DPA replied that due to the absence of language selection by the user it would have been appropriate to display the display the information regarding the use of cookies in English, a widespread language commonly used by other websites.
Obligation to set cookies in order to select advertising preferences on the website & "Cookie wall" practice (violation of Article 7 GDPR) - NOT upheld
Complainant states that his consent is not freely given, due to the fact that consent is a condition in order to use the website. In its recent guidelines, the EDPB indeed condemns the practice of making the provision of a service or access to a website conditional on the acceptance of write or read operations on the user's device. A side note here is that it must concern non-necessary cookies.
However, in this case the cookie in question is strictly necessary for the functioning of the website. Defendant also showed that the fact that the cookie needs to be placed in order to use certain parts of the website is described on three different places of the website (i.e. the homepage / terms and conditions / Protecting your privacy-page) and thus the legal basis in order to process this personal data and place this cookie is not consent, but legitimate interest of the data controller (Article 6(1)(f) GDPR).
Holding
The Belgian DPA issued a reprimand to a website owner for violating Article 12 GDPR and Article 13 GDPR and ruled an order for compliance of the defendant's processing register, more specifically to mention the third party countries personal data is has been sent to.
On top of that, the belgian DPA also shares some interesting insights regarding the processing of cookies:
- definition of 'trackers';
- different types of cookies;
- valid consent under GDPR and ePrivacy Directive - transparency obligations
Comment
This decision of the belgian DPA is different than the others. A lot of background information and additional information has been provided by the DPA itself regarding 'best practices' when using cookies.
Sidenote for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data. how does this reconcile with the definition of 'personal data' in Article 4(1) GDPR that clearly refers to 'identified or identifiable natural persons'?
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/32 Litigation Chamber Decision on the merits 11/2022 of 21 January 2022 File number: DOS-2018-05968 Subject: Cross-border cookie complaint The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members, resuming the affair in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (general regulation on data protection), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; made the following decision regarding: the complainant: Mr. X the defendant: Y. represented by his counsel, Maître Rue, Chaussée de La Hulpe, 177/12, 1170 Brussels., Decision on the merits 11/2022 - 2/32 I- Procedural Feedback 1. Having regard to the complaint received via the IMI system by the Berlin data protection authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit) on August 24, 2018 to the Authority of data protection (DPA); 2. Considering the decision of November 23, 2018 of the President of the Litigation Chamber to transfer the file to the inspection service for investigation; 3. Having regard to the investigation report of the Inspection Service (“IS” below) of October 19, 2019; 4. Having regard to the exchanges between the Berlin data protection authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit) and DPA, in the context of Article 60 GDPR; 5. Considering the decision of April 29, 2020 of the President of the Litigation Chamber considering that the file was ready for substantive processing under Articles 95 § 1, 1° and 98 LCA, the Chairman invited the parties to conclude by letter on the same date; 6. Considering the conclusions of the defendant, received on June 9, 2020; 7. Given the absence of submissions in response from the complainant; 8. Having regard to the Respondent's summary submissions, received on July 21, 2020; 9. Having regard to the translation of the procedural documents (inspection report and conclusions of the defendant) into the plaintiff's language (German); 10. Having regard to the hearing of April 30, 2021 in the presence of the defendant represented by his counsel Me Rue, in the absence of the plaintiff, although he was summoned; 11. Considering the sending to the parties of the minutes of the hearing and the comments of the parties; II- The facts of the complaint 12. The complainant raises in his complaint that the tool for selecting the preferences advertising does not work, in that the opt-out cookie for many third parties does not work (although he clicks the decline option, the accept option automatically resets). He raises as well as his consent to these cookies is forced and therefore not free within the meaning of Article 4.11 and 7 of the GDPR. 13. He further argues that the website requires the user to accept cookies in order to be able to select their advertising preferences., Decision on the merits 11/2022 - 3/32 14. The cookie in question allows the defendant to be informed that the browser of the user accepts or not the cookies of third parties. The Litigation Chamber therefore understands that the complainant opposes the placing of the cookie, as well as the subsequent processing of his personal data by the defendant. 15. The Litigation Chamber will examine the facts reported by the plaintiff, within the framework of the mission of monitoring compliance with the GDPR entrusted to the DPA (of which it is the administrative litigation) by the European legislator (article 58 of the GDPR) and by the Belgian legislator (article 4 LCA), both in the light of the articles of the GDPR referred to in the form of complaint that he introduced on August 24, 2018, that in the light of the articles of the GDPR such examined in the report of the inspection service. 16. The shortcomings noted in the IS report will be examined first. time. The grievances raised by the complainant in his complaint will be examined secondarily. III- Findings of the Inspection Service 17. Following its investigation, the IS produced an investigation report, in which it notes breaches combined with articles 5 and 6, 12 and 13, 24 and 30, 24 and 32, as well as 37 of the GDPR. Statement concerning the principles relating to the processing of personal data (Article 5 of the GDPR) and concerning the lawfulness of the processing (Article 6 of the GDPR): “The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which on pages 9/14 and 10/14 are cited below, demonstrates the existence of the following practices which are incompatible with the principle of lawfulness, loyalty, transparency of Article 5 of the GDPR and with the obligation of lawfulness of the processing of article 6 of the GDPR: “When connecting to the site […] on the home page (screenshot 8) a cookie is already loaded in the browser when no information has been delivered to the user. The cookie named “third_party_c_t » with value « hey+there %21 » coming from the domain (…) is a cookie which makes it possible to inform Y whether or not your browser accepts cookies from third parties”, and ; "By choosing the country in which you are located, we arrive on the screen in capture Screen 9 indicating that non-identifiable information is being collected. The fact that the information is not personally identifiable. There is nothing "transparent" about this box and does not allow the user to get an idea of what is collected and why it is collected. » Observation concerning the transparency of information and communications and methods of the exercise of the rights of the data subject (Article 12 of the GDPR) and information to, Decision on the substance 11/2022 - 4/32 provide when personal data is collected from the person data subject (Article 13 of the GDPR): As for the transparency of information, the IS notes: “The “privacy policy of […]” the text of which can be found on pages 19 to 24 and explanations on pages 9 and 10 of the document […] which was communicated to the service inspection by Y via his email of 07/17/2019 (Exhibit 14) does not comply with Article 12(1) or Article 13 GDPR, which are relevant here, for the following reasons: The information provided is not always transparent and understandable for data subjects as required by Article 12, paragraph 1 of the GDPR. First the language used is not coherent and logical given that the notions of “personal information” and "personal data" are used while the GDPR systematically speaks of " personal data. Then the use of cookies is mentioned accompanied by two warnings which indicate that "disabling cookies for this purpose prevents the control tool from working effectively and could have undesirable consequences on your experience of global navigation" and also that "deleting or rejecting cookies could have undesirable consequences for your experience of our website”. Those warnings are not comprehensible for the persons concerned and prevent a free consent on their part for the use of cookies since they do not explain what “ undesirable consequences” means concretely. Finally, the reference to "additional information" on the sites of Google, Firefox, Windows and Safari is not comprehensible for those concerned since there is no explanation on this mentioned for the persons concerned”. As for the fact that the information would be incomplete, the IS notes: “The information provided is incomplete because all the information that should be provided in accordance with Article 13 of the GDPR are not actually provided to persons concerned. First, the existence of the right to withdraw consent at any time. moment, without affecting the lawfulness of the processing based on the consent made before the withdrawal thereof is not mentioned with regard to the processing of data of a personal nature by Y; this right is only mentioned for the management of cookies on the website accompanied by the aforementioned disclaimer which states that "the act of deleting or, Decision as to the merits 11/2022 - 5/32 rejecting cookies could have undesirable consequences for your experience of our website". Statement concerning the register of processing activities (Article 30 of the GDPR) “The register of processing activities which can be found in the document “[FR] Annex 1_(..) Register of GDPR checks” which was communicated to the inspection service by Y via its email of 07/17/2019 (Exhibit 14) does not mention the identification of third countries to whom the personal data is transmitted for several activities of processing. For these processing activities, the texts “Refer to (…)”, “Refer to (…)”, “Refer to (…)” and “Refer to (…)” are mentioned in the column “Names third countries or international organizations to which the personal data are transferred (if possible)”. Statement concerning the responsibility of the data controller (article 24 of the GDPR) and regarding the security of processing (Article 32 of the GDPR) “The technical analysis report of 07/03/2019 (Exhibit 12), the relevant elements of which on pages 8/14 and 9/14 are quoted below, demonstrates the existence of the following practices which are incompatible with the controller's liability in Article 24 of the GDPR and with the obligation of security of the processing in article 32, paragraph 1 of the GDPR: On screenshot 1 we see that the link to join the server is […]. This link is a link http and not https. This means that the communication protocol between the client station and the server in question is a protocol that carries data in the clear, i.e. not encapsulated in a tunnel as would the TLS protocol for an https link. Which means that the personal data provided by the user on this site does not have the guarantee set out in the information “Protection of your privacy” disseminated at the following link […] of which screenshot 7 shows the excerpt. In its guidelines on the protection of personal data through web services provided by the European institutions the EDPS recommends the use of secure protocols in the transmission of personal data within the framework web services. The use of an http link instead of an https link and the consequences for the security of the treatment as mentioned above, is also inconsistent with the stated guarantee, Decision on the merits 11/2022 - 6/32 in the “privacy policy of […] the text of which can be found on pages 19 to 24 and explanations on pages 9 and 10 of the document “[FR] Letter of response – (…)-” which was communicated to the inspection service by Y via his email of 07/17/2019 (Exhibit 14). the Inspection service refers in this respect to the following sentences mentioned in the aforementioned text of the Y: “We are committed to respecting and protecting the privacy of all individuals with which we act, have acted or will act. seek to give you clear information and control over information personal data we hold about you, as well as other non-personal data information that we may collect and use during your visit to this site Internet. ““No other personal information will be shared with any other third parties. ". Findings concerning the responsibility of the data controller (article 24 of the GDPR) and concerning the appointment of the data protection officer (Article 37 of the GDPR) “In the document “[FR] Letter of response – Ref (…)” which was communicated to the service of inspection by Y via his email of 07/17/2019 (Exhibit No. 14) appears on pages 10 to 11 and pages 25 to 31 a motivation for the decision not to appoint a protection officer data within the organization; according to “The summary of the conclusion is that (…) is not not required to appoint a dedicated data protection officer”. The aforementioned “decision” and its reasoning do not comply with Article 24, paragraph 1 of the GDPR or Article 37(1) GDPR for the following reasons: There is no time of official decision taken by Y concerning the appointment or not of a delegate to the data protection despite the obligation imposed by article 24, paragraph 1 to put implement “appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation » . The document “Re DOS (…)-questions in the context of an inspection investigation_FR” which was communicated to the inspection service by Y via his email of 09/09/2019 (Exhibit 17) mentions on pages 10 to 11 that the aforementioned decision “will be placed on the agenda of our next Board of Directors in November 2019, in order to ensure that the decision taken has been officially documented. The elements of the technical analysis report of 07/03/2019 (Exhibit 12) cited above in this report demonstrate that a cookie “allows Y to be informed of the fact that your browser accepts or not third-party cookies” which requires the appointment of a data protection officer on the basis of Article 37, paragraph 1, b), Decision on the substance 11/2022 - 7/32 of the GDPR. This cookie is clearly linked to the operation of the website […] given the explanations of Y concerning this website on pages 3 to 9 of the document “[FR] Letter of response – Ref (…)” which was communicated to the inspection service by Y via his email of 07/17/2019 (Exhibit 14) and allows regular and systematic monitoring on a large scale of persons concerned. » 18. As a reminder, the IS is an independent body of the Litigation Chamber (“CC” below). The investigation report produced is only one of the elements on which the CC relies for make their decision. IV- Motivation IV.1- On the competence of the DPA IV.1.1- On the competence of the DPA within the framework of the IMI system 19. Article 56. GDPR states that “Without prejudice to Article 55, the data protection authority the main establishment or the sole establishment of the controller or the processor is competent to act as lead supervisory authority concerning the cross-border processing carried out by this controller or this subcontractor, in accordance with the procedure provided for in Article 60. 20. Article 4.23 GDPR clarifies the notion of cross-border processing by following terms: “(a) processing of personal data which takes place in the Union in the context of activities of establishments in several Member States of a controller or of a processor when the controller or the processor is established in several Member States; Where (b) processing of personal data which takes place in the Union in the context of activities of a single establishment of a controller or processor, but which materially affects or is likely to materially affect persons concerned in several Member States; » 21. The defendant has its sole establishment in Belgium, but its activities (and more particularly its website (…), being consultable from any EU member state) significantly affect or are likely to significantly affect people concerned in several Member States, including the complainant in Germany. The Chamber, Decision on the Merits 11/2022 - 8/32 Litigation bases its jurisdiction on the basis of a combined reading of Articles 56 and 4.23.b) GDPR. The DPA is entered by the data protection authority in Berlin, following a complaint by the complainant to an authority in the Member State in which finds his habitual residence, in accordance with Article 77.1 of the GDPR, and declares himself lead supervisory authority (Article 60 of the GDPR). IV.1.2- On the competence of the DPA 22. In the section below, the Litigation Chamber recalls that the jurisdiction of the DPA regarding the e-privacy Directive is developed in previous decisions of the Chamber, in particular in decisions 12/2019 of 17 December 2019, 24/2021 of 19 February 2021, as well as 19/2021 of February 12, 2021. This section includes a summary of the House's position. 23. Pursuant to Article 4 § 1 LCA, the DPA is responsible for monitoring compliance with the fundamental principles of data protection, as affirmed by the GDPR and other laws containing provisions relating to the protection of the processing of personal data. 24. Pursuant to Article 33 § 1 LCA, the Litigation Chamber is the body of ODA administrative litigation. It is, among other things, seized of the complaints that are brought to it transmitted via the IMI system, on the basis of Article 56 of the GDPR. 25. Pursuant to articles 51 and s. of the GDPR and Article 4.1 LCA, it is up to the Chamber Litigation as an administrative litigation body of the DPA, to exercise a effective control of the application of the GDPR and to protect the freedoms and rights fundamental rights of natural persons with regard to processing and to facilitate the free flow personal data within the Union. 26. As the defendant acknowledges, the website collects personal data personal through 3 types of cookies, namely audience cookies; cookies "box of dialog” and session cookies, and therefore processes this personal data. 27. The Litigation Chamber is competent to rule in cases concerning the processing of personal data, pursuant to Article 4, § 1 of the LCA, of Article 55 of the GDPR and in compliance with Article 8 of the Charter of Fundamental Rights of the European Union. 28. Furthermore, under Belgian law, the Belgian Institute for Postal Services and Telecommunications (BIPT) is the controller for the Communications Act Electronic (ECL hereinafter), including for section 129 of the ECL which implements section 5.3, Decision on the merits 11/2022 - 9/32 1 of Directive 2002/58 (hereinafter, the "e-privacy Directive"), in accordance with Article 14, § 1 of the law of 17/01/2003 relating to the status of the regulator of the postal and Belgian telecommunications. 2 29. In its Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR, the European Data Protection Board (hereafter: "EDPB") has confirmed that the data protection authorities are competent to apply the GDPR to data processing, also in the context where other authorities would be competent, under the national transposition of the e-privacy Directive, for monitor certain elements of personal data processing. 30. It also emerges from this opinion that the e-privacy Directive aims to “specify and supplement” the provisions of the GDPR with regard to the processing of personal data personnel in the electronic communications sector, and in doing so to guarantee the compliance with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. 31. The Litigation Chamber notes, in this regard, that Article 8.3 of the Charter provides that the processing of personal data is subject to the control of an authority independent, responsible for data protection. 32. In addition, the predecessor of the EDPB (the article 29 working group on the protection Data Protection, hereinafter: Data Protection Working Group) has also clarified that GDPR requirements for obtaining valid consent apply to situations that fall within the scope of the E-privacy Directive. 3 33. In the Planet judgment49, the Court of Justice of the European Union confirmed in particular that the collection of data through cookies could be qualified as processing of personal data. Therefore, the Court interpreted Article 5.3 of the Directive Privacy and electronic communications using the GDPR, specifically on the basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article 13 GDPR (information to be provided). 1Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data personal character and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, as amended by Directive 2009/136/EC of the European Parliament and of the Council of November 25, 2009, hereinafter the “ePrivacy Directive”). 2 EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in in particular with regard to the competence, tasks and powers of data protection authorities, § 69 3Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679, WP259, p. 4. 4Judgment of the Court of 1 October 2019, Planet49, C-673/17, ECLI:EU:C:2019:801, paragraph 45. 5As well as with the help of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Decision on the substance 11/2022 - 10/32 34. As indicated above, BIPT's competence to supervise certain elements of the processing – such as the placement of cookies on the terminal equipment of the Internet user – does not prejudice the general competence of the DPA. As precised by the EDPB, the data protection authorities remain competent for matters processing (or elements of processing) for which the e-privacy Directive does not provide no specific rules. There is indeed a complementarity of competences between BIPT and ODA in the specific case, insofar as on the basis of Article 4 of the LCA, ODA is responsible for monitoring compliance with the fundamental principles of the protection of data (as affirmed by the GDPR and in other laws containing provisions relating to the protection of personal data), and that the consent constitutes a fundamental principle in this field. 35. The complaint also relates to the processing occurring following the placement of the cookie litigation. 7 36. Furthermore, Opinion 5/2019 on the interaction between the e-privacy Directive and the GDPR aforementioned of the EDPB also indicates that national procedural law determines what must happen when a data subject lodges a complaint with the authority of data protection relating to the processing of personal data (such as by example the collection of data by means of cookies), without also complaining about (potential) breaches of the GDPR. This corresponds well to the present case. 37. In this regard, the Court of First Instance of Brussels has clearly indicated that the legal predecessor of the DPA was competent to submit a requisition to a court "to the extent that it relates to alleged violations of the privacy law of the 8 December 1992, to which article 129 of the LCE, which clarifies and completes it, refers 8 moreover expressly ". As indicated below, article 129 LCE is the implementation in Belgian law of article 5.3 of the privacy directive. 38. The DPA is thus competent to verify whether the requirement of the fundamental principle that constitutes consent around the disputed cookie whether or not it complies with the conditions GDPR consent. 6EDPB, Opinion 5/2019 on the interactions between the “privacy and electronic communications” directive and the GDPR, in in particular with regard to the competence, tasks and powers of data protection authorities, § 69. 7 EDPB, Opinion 5/2019 on the interactions between the "privacy and electronic communications" directive and the GDPR, in in particular with regard to the competence, tasks and powers of data protection authorities, 12/03/2019, §70 8 Brussels Court, 24th Civil Affairs Chamber, 16 February 2018, case file no. 2016/153/A, point 26, p. 51, available at : https://www.autoriteprotectiondonnees.be/news/lautorite-de-protection-des-donnees-defend-son-argumentation-devant- the court-of-appeal-of-brussels., Decision on the merits 11/2022 - 11/32 39. The DPA is also competent to verify compliance with all the other conditions made mandatory by the GDPR – such as transparency of processing (Article 12 of the GDPR) or the information to be communicated (article 13 of the GDPR). 40. As confirmed by the Court of Justice in the Facebook and Others judgment, only the recording and the reading of personal data by means of cookies falls within the scope application of Directive 2002/58/EC, while “all previous operations and subsequent processing activities of such personal data by means of other technologies do fall within the scope of [GDPR]. 9 IV.2- As regards breaches of the principles of transparency (Article 5.1.a and 12 and 13 of the GDPR) and lawfulness (Article 6 of the GDPR) IV.2.1.1-Reminder of the basic legal principles concerning the use of tracking tools and Cookies 41. Before examining the corresponding shortcomings identified by the IS report, the Litigation Chamber considers it useful, for educational purposes, to conduct a short introduction to cookies and to recall the basic legal principles concerning internet user tracking tools, including cookies. 42. The term tracers includes cookies and HTTP variables, which may in particular pass through invisible pixels or "web beacons", "flash" cookies, access to terminal information from APIs (LocalStorage, IndexedDB, identifiers advertising such as IDFA or android ID, GPS access, etc.), or any other identifier generated by software or an operating system (serial number, MAC address, unique terminal identifier (IDFV), or any set of data used to calculate a unique fingerprint of the terminal (for example via fingerprinting). 43. These cookies and other tracers can be distinguished according to different criteria, such as the purpose they pursue, the field that places them or their lifespan. The cookies can thus be used for many different purposes (among others, to support communication on the network -“connection cookie”-, to measure the audience of a website - “audience measurement cookies, analytical cookies or cookies statistics”-), for marketing and/or behavioral advertising purposes, for authentication…). 44. Cookies can also be distinguished according to the domain that places them, they are thus “of first party" or "third party". “First party” cookies are placed directly 9 Judgment of the Court of 15 June 2021, C-645/19, ECLI:EU:C:2021:483, paragraph 74., Decision on the merits 11/2022 - 12/32 by the owner of the website visited, unlike "third-party cookies", set up by a domain different from the one visited (for example when the site incorporates elements other sites like images, social media plug ins -the "Like" button of Facebook for example- or advertisements). When these elements are extracted by the browser or other software from other sites, these may also place cookies that can then be read by the sites that have placed them. Those " third-party cookies" allow these third parties to monitor the behavior of Internet users in the time and across many sites and to create, from this data, profiles of internet users. 45. Cookies can also be distinguished according to their period of validity, between cookies "of session” and “persistent” ones. “Session cookies” are automatically deleted when closing the browser while “persistent cookies” remain stored on the device used until their expiration date (which can be expressed in minutes, days or years). 46. From a legal point of view, a distinction should be made between tracers that must be subject to consent by the user, of those who should not be subject to it. 47. Trackers that do not require consent are those strictly necessary for the provision of an online communication service expressly requested by the user, or the tracers which aim to allow the transmission of the communication by electronic means. These trackers do not require consent users. The processing of personal data in these tracers is generally based on the legitimate interest of the data controller (Article 6.1.f) of the GDPR). 48. This does not, however, prevent, in compliance with the principle of transparency, informing Internet users of their use and remind them that browser settings can allow them to block them and in this case to mention the effects potentially negative for the operation of the site. Processing of personal data associates obviously remain subject to the principles of the GDPR. 49. Cookies that do not require consent include those retaining the choice expressed by users on the deposit of tracers, those intended for authentication with a service, those allowing the content of a shopping cart, or even those personalizing the user interface (for example, for the choice of language or presentation of a service), when such personalization constitutes an intrinsic and expected element of the service., Decision on the merits 11/2022 - 13/32 50. Other trackers and cookies are subject to prior consent. the processing on the basis of legitimate interest is also prohibited for these cookies. All cookies not having the exclusive purpose of allowing or facilitating communication by electronic means or not being strictly necessary for the supply of a service of online communication at the express request of the user therefore require a prior consent. These can for example be linked to the display of advertising personalized or non-personalized (when tracers are used to measure the audience of the advertising displayed in the latter case) or to functionalities of sharing on social networks. In the absence of consent (assuming therefore of a user's refusal), these tracers cannot be deposited and/or read on his 10 terminal. IV.2.1- As to the breach concerning the use of a cookie without prior information of the user 51. In essence, the IS notes two shortcomings in this respect: - Article 12.1 of the GDPR provides that the controller must take measures appropriate to provide the person concerned with any information referred in particular to Article 13 of the GDPR in a concise, transparent, understandable and easily accessible way accessible, in clear and simple terms. Article 12.2 of the GDPR provides that the controller processing must facilitate the rights of the data subject. - Article 13.1 and 2 indicates, concerning the information to be provided when data to be personal character are collected from the data subject: “1. Where personal data relating to a data subject is collected from this person, the data controller provides him, at the time when the data in question are obtained, all of the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller (b) where applicable, the contact details of the data protection officer; c) the purposes of the processing for which the personal data are intended as well as the legal basis for processing; d) where the processing is based on Article 6(1)(f), the legitimate interests sued by the controller or a third party; 10See Recommendation No. 01/2020 of the Knowledge Center of January 17, 2020 relating to the processing of personal data personal character for direct marketing purposes concerning many practical aspects and examples on a use GDPR-compliant cookies, in particular regarding consent and transparency (p78 +s). See also the file CNIL practice "Cookies and tracers: how to bring my website into compliance?" », October 01, 2020, https://www.cnil.fr/fr/cookies-et-traceurs-comment-mise-mon-site-web-en-conformite, Decision on the merits 11/2022 - 14/32 e) the recipients or categories of recipients of the personal data, if they exist; and (f) where applicable, the fact that the controller intends to transfer data personal data to a third country or to an international organisation, and the existence or absence of an adequacy decision issued by the Commission or, in the case transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the reference to the appropriate or adapted safeguards and the means of obtaining a copy or where they were made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data is obtained, the following additional information that is necessary to ensure processing fair and transparent: a) the retention period of the personal data or, where this is not possible, the criteria used to determine this duration; b) the existence of the right to ask the controller for access to personal data personal information, rectification or erasure thereof, or limitation of processing relating to the data subject, or the right to oppose the processing and the right to the portability of the data; c) where the processing is based on point (a) of Article 6(1) or on Article 9, paragraph 2(a), the existence of the right to withdraw consent at any time, without undermine the lawfulness of processing based on consent made before the withdrawal of this one; d) the right to lodge a complaint with a supervisory authority; (e) information on whether the requirement to provide personal data personnel is of a regulatory or contractual nature or if it conditions the conclusion of a contractandthepersonconcernedisrequiredtoprovidethepersonaldata,thus only on the possible consequences of the non-provision of these data; f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the logic underlying data, as well as the significance and anticipated consequences of such processing for the concerned person. 52. The Litigation Chamber recalls that the objective of the principle of transparency light to Articles 12, 13 and 14 of the GDPR is that the data subject should be, according to the principle of loyalty of article 5.1. a), able to determine in advance what the scope and the consequences of the treatment include in order not to be caught without at a later stage as to how his personal data has been used. The information should be concrete and reliable, it should not be formulated in abstract or ambiguous terms nor leave room for different interpretations. More specifically, the purposes and legal bases of the processing personal data should be clear., Decision on the merits 11/2022 - 15/32 11 53. In the Planet49 judgment, the Court of Justice of the European Union held that for the placement of cookies, the controller had to provide information on the duration of operation of cookies as well as on the possibility or not for third parties to have access to these cookies, in order to guarantee fair and transparent information (Article 5.3 of the Privacy and Electronic Communications Directive concerning the placement of cookies is thus read together with the principle of fairness (article 5.1. a) and the information obligations of Article 13.2 (a) and (e) of the GDPR). 54. Under Articles 5.2 and 24 of the GDPR, the controller must take steps appropriate technical and organizational measures to guarantee and be able to prove that the processing of personal data using cookies is carried out in accordance with Articles 12 and 13 of the GDPR. 55. In the present case, the IS notes, firstly, that when connecting to the site of the defendant (home page), a cookie was already loaded in the browser so that no information had been delivered to the user. Personal data has therefore been processed before the information required by Article 13 GDPR is communicated. The cookie was named "third_party_c_t", and allowed to fill in the defendant on whether or not the user's browser accepted cookies from third parties (preference cookies from participating companies). 56. The defendant acknowledges in its submissions the absence of prior information from the user regarding the placement of the cookie, at least in the version of the site at time of the investigation carried out by the inspection service. She first emphasizes time that the cookie in question was deleted in April 2020 following a change in the website. She adds that it was a first party cookie and qualified as essential (strictly necessary therefore, which the IS report does not dispute). In addition, this cookie did not constitute a risk for the rights and freedoms of the persons concerned because it did not resemble an identifier. 57. With regard to the period between the entry into force of the GDPR, on 25 May 2018, and the deletion of said cookies in April 2020, the defendant indicates that for reasons techniques the cookie was placed before the information banner on the use of cookies by the site does not appear. She also explains that it was impossible to make appear information about the cookie in the language of the user since it is on this page that the user had to select his language/country. 58. It also specifies that insofar as it was an essential cookie, the consent of the user was not required. This is not disputed in the IS report. 1Judgment of the Court of 1 October 2019, C-673/17, ECLI:EU:C:2019:801., Decision on the merits 11/2022 - 16/32 59. The Litigation Division takes note of the modification of the defendant's website, which, as the latter indicates in its conclusions, reinforces its compliance with the GDPR. It also takes note of the deletion in April 2020 of the cookie in question. It does not remains that between the entry into force of the GDPR (May 25, 2018) and the deletion of said cookie in April 2020, the defendant collected and processed data personal information without first providing information to the user. 60. The arguments put forward by the defendant cannot be followed, the first according to which the cookie was loaded before the information banner appeared for “reasons techniques”, and the second, according to which the information could not be communicated to the user before loading the cookie since it is precisely on the page visited that he had to choose his language/country. Regarding the language argument not yet selected by the user, it was appropriate, therefore, to display the warning of the use of the cookie in English, a language widespread and commonly used by others websites before selecting the user's language. 12 61. The argument underlined by the plaintiff according to which the impact in terms of terms of risks to the rights and freedoms of users was low: indeed, the obligation of prior information applies to all types of cookies, whether their impact on the right to data protection of data subjects is weak or not. 62. The Litigation Chamber finds a breach of Articles 12 and 13 of the GDPR, between the entry into force of the GDPR (i.e. May 25, 2018) and the withdrawal of the “third_party_c_t” cookie in April 2020. IV.2.2- As for the transparency of the box indicating that “information not identifiable” are collected 63. The second shortcoming noted by the SI report concerns the screen which appeared (at time of the survey, therefore before the modification of the website), when the user chose his language and his country. This screen indicated: “This website collects and uses non-identifiable information to analyze the activity of the site in order to improve its navigation. You can control how this information is collected and used” and was accompanied by a hyperlink to the “Protecting Your Privacy” page. 64. The SI report emphasizes that although this information is not identifiable, it remain personal data. According to the SI, this box is not "transparent 12The Litigation Chamber also refers to the extensive practical information on cookies available on the APD website at the url https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/coovoir. Also Recommendation n° 01/2020 of January 17, 2020 relating to the processing of personal data for the purposes of direct marketing concerning many practical aspects and examples of the use of cookies in accordance with the GDPR, in particular regarding transparency (p78 +s), Decision on the merits 11/2022 - 17/32 and does not allow the user to get an idea of what is collected and for what reason this collection is made. 65. The defendant responds in this regard that a dialog box replaces, since the modification of the website, the screen (or box) in question. It also disputes that for the period prior to the amendment the box was not transparent, in that it was sufficient to the user to click on the hyperlink to obtain information relating to the “non-identifiable information” collected. This screen also remained displayed for the user's entire visit, unless they close it. She adds that this information were available on other pages of the site as well as in the policy document of the privacy of the site. It also recalls that insofar as these cookies were not not subject to prior consent (since they were strictly necessary), the GDPR does not require the controller to provide all the information useful in a single advance information box, which, according to her, would not be not feasible in practice. 66. The Litigation Chamber recalls the requirement of recital 58 of the GDPR according to which " The principle of transparency requires that any information sent to the public or to the person concerned is concise, easily accessible and easy to understand and formulated in clear and simple terms and, in addition, where appropriate, illustrated with elements visuals. ". 67. It also recalls the requirement of Article 12.1 of the GDPR, which stipulates that “The person responsible for the processing takes appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 with regard to the treatment to the data subject in a way concise, transparent, understandable and easily accessible, in clear and simple, in particular for information intended specifically for a child. " (we emphasize) 68. In other words, this means that before consent is sought from the user, the principle of transparency imposes that precise information must be be communicated on the data controller, the purposes pursued by the cookies and other tracers that will be deposited and/or read, the data they collect and their lifespan. The information must also relate to the rights that the GDPR recognizes to the user (or data subject), including the right to withdraw consent. 69. As indicated above, the information must be visible, complete and highlighted. It must be written in simple and understandable terms for any user. That implies, in particular, that the information be written in a language that is easily understandable for the "target audience" to which it is addressed. For example, if the website, Decision on the merits 11/2022 - 18/32 is intended for a French-speaking and/or Dutch-speaking public, the information must be written in French and/or Dutch. 13 70. The Litigation Chamber considers that the defendant failed, before the modification of the site, to the obligation of transparency insofar as the box did not propose, at all least, a direct link to the required information about the cookies used under Article 13 of the GDPR, instead of a general reference to the privacy policy of the defendant. 14 71. In this regard, the Chamber endorses the recent guidelines of the CNIL, which also point out that "A simple reference to the general conditions of use does not could suffice. At a minimum, the provision of the following information to users, prior to collection of their consent, is necessary to ensure the informed nature of this last : - the identity of the person(s) responsible for processing the read or write operations; - the purpose of the data reading or writing operations; -how to accept or refuse tracers; - the consequences attached to a refusal or acceptance of tracers; - the existence of the right to withdraw consent.” 72. The Litigation Chamber can only repeat the key role of the principle of transparency in respect for the data protection rights of data subjects. This principle contributes to guaranteeing freedom of choice to users by giving them more control over their personal data, in particular in the context of large-scale Internet tracing practices in our economy digital. 73. The Litigation Division notes from the outset and in the alternative that, in addition to the necessary compliance with the principle of transparency, as developed below, the consent of the user (for non-functional cookies) must also respond to a certain number of requirements. 13As indicated below, in the present case, in the absence of being able to identify the target language from the first page of the site, the controller may use English in order to allow the user to choose his language. 14 Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to " cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 23-25, Decision on the merits 11/2022 - 19/32 74. For information purposes, the Litigation Division refers to the APD website, where are available many practical tips for GDPR-compliant use of cookies. 75. In the present case, the Litigation Division finds that the defendant has rectified breaches of the principle of transparency mentioned above by modifying its site. The breach identified in the IS report is therefore no longer relevant. IV.3- Regarding breaches of Articles 12 and 13 of the GDPR 76. The IS report also indicates that the Privacy Policy document of the defendant would not comply with Articles 12 and 13 of the GDPR, firstly because the information provided is not always concise, transparent or understandable, and second, because they are incomplete. IV.3.1- As for the fact that the information is not always transparent or understandable 77. The IS considers that the information contained in the Privacy Policy document of the defendant are not always transparent or understandable for several reasons. 78. A- Firstly, the IS points out that the language used would be neither coherent nor logical because the defendant uses the terms “personal information” and “personal data” instead of “personal data” as in the GDPR. 79. As indicated above, Article 12 of the GDPR requires that the information, to be provided according to the articles 13 and 14 of the GDPR, are communicated "in a concise, transparent, understandable and easily accessible, in clear and simple terms”. The Group of 16 work “Article 29” specifies in its Guidelines on Transparency that “ the requirement that this information be “understandable” means that it should be understood by the majority of the target audience. Comprehensibility is closely related to the requirement to use clear and simple terms”. 80. The Litigation Chamber considers that the defendant must be followed when explaining that the GDPR does not require the use of the term “personal data”, that the terms "personal information" and "personal data" may be 15 https://www.autoriteprotectiondonnees.be/citoyen/themes/internet/cookies. See also the CNIL website “Questions- answers on the amending guidelines and the “cookies and other trackers” recommendation available via https://www.cnil.fr/fr/questions-reponses-lignes-directrices-modificatives-et-recommandation-cookies-traceurs. 16 Article 29 Working Party, “Guidelines on Transparency within the meaning of Regulation (EU) 2016/679”, Revised version and adopted on 11 April 2018, WP260 rev.01, 17/FR, p.8., Decision on substance 11/2022 - 20/32 understood by the majority of the intended audience (particularly in the context of reading paragraphs using them), and that they can be considered as synonyms. 81. The Chamber further notes that the Respondent now only uses the terms “personal data” in its updated version of its Policy document of privacy. 82. This breach raised by the IS is therefore invalid. 83. B- Secondly, the SI raises that the warning of “consequences undesirable” in the event of refusal of cookies is not understandable and therefore prevents a free consent, since it does not explain what these undesirable consequences are. 84. The Article 29 Group expressed itself in these terms: “A key aspect of the principle of transparency highlighted in these provisions is that the data subject should be able to determine in advance what the scope and the consequences of the treatment include in order not to be taken unawares at a stage as to how his personal data has been used. It is also an important aspect of the principle of fairness under Article 5(1) of the GDPR, which is also linked to recital 39 which provides that “[t]he natural persons should be informed of the risks, rules, safeguards and rights associated with the processing of personal data”. More particularly, with regard to the processing of complex, technical or unforeseen data, the position of the G29 is that those responsible processing should, in addition to providing the information set out in Articles 13 and 14 (discussed later in these guidelines), define separately and in a clear the main consequences of the treatment: in other words, what will actually be the effect specific processing described in a privacy statement or notice private for the data subject. In accordance with the principle of responsibility and in accordance with recital 39, controllers should assess whether there are for the natural persons concerned by this type of treatment of the particular risks which should be brought to the attention of those concerned. Such an assessment could help provide insight into the types of treatment that are likely to have the most impact on the fundamental rights and freedoms of data subjects with regard to the protection of their personal data. (emphasis added) 85. According to the defendant, it is clear that the words “undesirable consequences”, read in their context, refer to the use of the site, which does not operate in a way optimal in case of rejection of essential cookies. She specifies that this warning is repeated 17 Ibid, Decision on the Merits 11/2022 - 21/32 in several different places on the site, and that in the new version of the site, a table explaining the effects of rejecting cookies has been added. 86. The Litigation Chamber is of the opinion that the use of these terms allows users to understand the practical consequence of rejecting the cookie. Nevertheless, beyond the question of clearly informing the user about the “undesirable consequences” (impossibility of using the site or limited use) related to the rejection of the cookie, to Subsidiarily, the Litigation Chamber stresses that this “cookiewall” practice does not can be tracked only when the rejected cookie is a strictly necessary cookie (unless the opposite of the case of a non-functional cookie) (see below, part IV.7.2 on this subject). 87. The defendant can therefore be followed when it maintains that these terms refer sufficiently clear way to the use of the website. 88. C- Finally, the IS report argues that the reference to “additional information » concerning cookies on the Google, Firefox, Windows sites, on the site of the defendant is not understandable either in the absence of explanations additional. 89. The defendant maintains that this reference to the “additional information” on the cookies to the main browsers (Google, Firefox, Windows) is a practice It specifies that most websites using cookies do the same, including the ODA website. It specifies that the site even contains an additional information section entitled “Get to know your computer’s privacy settings”, which provides concrete explanations with supporting images. 90. In this context, the Litigation Division is of the opinion that the reference to the “information additional” on browser cookies (Google, Firefox, Windows) is understandable enough for the user. IV.3.2- As to the fact that the information is not complete 91. The IS then argues that the information contained in the Life Policy document defendant's privacy are not complete for two reasons. 92. A- Firstly, the SI raises that the existence of the right to withdraw consent at any moment is not mentioned for the processing of personal data, but only for the management of cookies. 93. Article 7.3 of the GDPR lays down strict conditions for the withdrawal of consent valid: (a) the data subject has the right to withdraw consent at any time, (b) it must be informed in advance, and (c) it must be as simple to withdraw as to to give his consent. Pursuant to article 129, last paragraph of the ECL, the person responsible, Decision on the merits 11/2022 - 22/32 of the processing is obliged to give "free of charge" the possibility to end users of the terminal equipment concerned "to withdraw consent in a simple manner". 94. This right to withdraw consent must therefore be subject to prior information (Article 7.3.b), and should also be read in conjunction with the requirement for processing fair and transparent within the meaning of Article 5 and Article 13.2.c of the GDPR. A non-existent or incomplete information concerning the right to withdraw consent would imply that the consent would be given de facto for an infinite period and that the data subject would be deprived of their right to withdraw their consent. These rules apply both with regard to "first party" cookies and those of "third party ". 95. The defendant replies that except for analytical cookies (and in the rare cases where personal data is contained in a contact form), the site does not process no personal data for which consent is required. However, the statement privacy policy indicates that users of the site can erase cookies, which amounts, unequivocally according to the defendant, to withdrawing their consent. She concludes that further mention of the existence of the right to withdraw consent is not necessary. 96. The defendant adds that the APD does the same on its own website, that is to say uses also analytical cookies based on consent (and consent forms) contact), without explicit mention of the “right to withdraw consent” in its "Data Protection Statement". 97. The Litigation Division takes note of the fact that in the current version of the page " Protection of your privacy", a specific statement on the existence of the right to withdraw his consent for the processing of personal data has been inserted, and considers that the information is sufficiently complete. IV.4- Regarding breaches of Article 30 of the GDPR 98. The IS also points out that the processing register does not mention third countries to whom several categories of personal data are transmitted, but merely a reference to documents from subcontractors with whom it has entered into agreements. 99. The defendant replies that the register is based on a model of a European regulator, which includes referrals. She explains that she works with different subcontractors Americans providing cloud computing type services, and that the information on these third countries may vary according to their servers and types of services. She adds that the purpose of the references to these documents of its subcontractors is to have information always complete and up-to-date. It also clarifies that this concerns only, Decision on the merits 11/2022 - 23/32 a few boxes of the register, that it is otherwise completed in accordance with the GDPR, and that it does not prohibit doing so. 100. The Litigation Chamber strongly recommends that third countries be indicated and easily identifiable in the processing register, particularly in view of the recent case law of the CJEU in terms of transfer to third countries. On the basis of Article 100.9 of the LCA, it orders the defendant to adapt its register of processing by clearly indicating the third countries to which data are sent personal data, to better respond to the case law of the CJEU. IV.5- Regarding breaches of Articles 24 and 32 of the GDPR 101. The IS criticizes the use of the protocol (url link) http and not https, in that this constitutes a breach of the security obligation. 102. The defendant replies that since January 15, 2020 the site has switched to the protocol https. She also explains that this migration has been an ongoing project since 2014, but that its implementation has been long and difficult due to the fact that it must collaborate with all its members (more than a hundred). She adds that since her site only processes a small amount of data personal data, the risks for the persons concerned were low, and that given the risk-based approach of the GDPR, this migration to the https protocol was not necessarily necessary. 103. Without pronouncing further on this subject, the Litigation Chamber takes note of the migration of the site to the https protocol, and notes that the breach mentioned in the report of the IS is therefore no longer relevant. IV.6- Regarding breaches of Articles 24 and 37 of the GDPR 104. In addition, the IS criticizes the absence of an official decision documenting the choice to appoint whether or not a Data Protection Officer (DPO hereafter), and considers that the defendant should have appoint a DPO because it uses a cookie which allows “regular and systematic monitoring at large scale of the persons concerned”. 105. The respondent notes that the GDPR does not require a formal procedure to be followed for the decision to appoint a DPO or not, and that documenting the reasons for this decision not to appoint is a recommendation and not an obligation. 18 Judgment of the Court of 16 July 2020, C-311/18, Facebook Ireland and Schrems, ECLI:EU:C:2020:559. (“Schrems II case”), Decision on the merits 11/2022 - 24/32 106. Next, concerning the cookie which, according to the IS, allows "regular and systematic monitoring at large scale of the persons concerned”, the defendant replies that the cookie is not no longer used since April 2020. She adds that even when used, this cookie does not did not justify appointing a DPO because this cookie was not an identifier since it was the even for everyone therefore did not allow to follow a user”. Nevertheless, insofar as this cookie contained personal data, it allowed to identify the persons concerned. 107. The defendant argues that there was no “large-scale monitoring”, and that even if its cookies allowed “systematic and large-scale monitoring” -quod non-, it would have still had to constitute a “basic activity” of the defendant, which was not not the case (proof would be that today it continues its same activities but without the cookie in question). 108. The Litigation Division is of the opinion that the defendant can be followed when it argues that the GDPR does not require you to follow a formal procedure for the decision to appoint a DPO or not, and that documenting the reasons for this decision not to not naming any is a recommendation and not an obligation. 109.Concerning the obligation to appoint a DPO, the Litigation Chamber recalls the prescribed of Article 37.1.b) of the GDPR, according to which data controller must appoint a DPO if “the core activities of the controller or processor consist of processing operations which, due to their nature, their scope and/or their purposes, require regular and systematic monitoring on a large scale of people concerned”. This article should be read in conjunction with the Guidelines concerning the Group's data protection officers article 29 . Without of “systematic and large-scale monitoring”, it cannot be concluded that there has been a breach in Article 37 of the GDPR. IV.7- Regarding the content of the complaint 110. After considering the shortcomings raised by the IS, the Litigation Chamber examines below the grievances as expressed by the complainant in his complaint. 111. As indicated above n°12 to 14, the complainant raises two grievances in his complaint. He indicates in the first place that the tool for selecting advertising preferences does not does not work, in that the opt-out cookie for many third parties does not work (although he clicks the decline option, the accept option re-engages 19 WP243rev., Decision on the merits 11/2022 - 25/32 automatically). He thus raises that his consent to these cookies is forced and therefore not free within the meaning of Articles 4.11 and 7 of the GDPR. 112. He also complains that the website requires the user to accept cookies in order to be able to select their advertising preferences. The cookie in question makes it possible to inform the defendant whether or not the user's browser accepts the third-party cookies. The Litigation Chamber therefore understands that the plaintiff opposes the placement of the cookie, as well as the subsequent processing of its data personal by the defendant. IV.7.1- Concerning the complainant's first grievance, relating to the malfunctioning of the tool for choosing advertising preferences 113. The respondent responds to the complainant's first grievance that it is clearly indicated on his site (in the same tool for choosing preferences as well as in the General Conditions of use) that when using ad blocking software, the tool of choice may not work. It also appears from the print screen of the complainant's browser in the IS report that it actually uses such software. The IS report (based in particular on the technical analysis report which includes a test of the good operation of the control tool) does not raise any malfunction of the control tool control. Therefore, the Litigation Chamber cannot support the complainant in his grievance. that his consent would be forced, in violation of articles 4.11 and 7 of the GDPR. IV.7.2- Regarding the complainant's grievance that the defendant's website obliges the user to accept cookies in order to be able to use the site, a practice known as "cookie wall» 114. Before examining the specific issue of the cookie wall, for educational purposes, the Litigation Division considers it useful to recall the rules regarding consent. IV.7.2.1- Concerning the criteria for valid consent 115. Article 4.11 of the GDPR defines the “consent” of the data subject as following: "any manifestation of will, free, specific, enlightened and unequivocal by which the person concerned accepts, by a declaration or by a clear positive act, that personal data concerning him are processed”. 116. Article 7 of the GDPR also sets out the conditions applicable to consent: “1. In cases where processing is based on consent, the controller is able to demonstrate that the data subject has given consent to the processing of personal data relating to him., Decision on the merits 11/2022 - 26/32 2. If the consent of the data subject is given in the context of a written statement which also concerns other matters, the request for consent is presented in a form that clearly distinguishes it from these other questions, in an understandable and easily accessible form, and formulated in plain and simple terms. No part of this statement that constitutes a violation of the this regulation is not binding. 3. The data subject has the right to withdraw consent at any time. the Withdrawal of consent does not affect the lawfulness of processing based on the consent given before this withdrawal. The person concerned is informed before giving consent. Withdrawing is as easy as giving consent. 4. When determining whether consent is freely given, consideration should be given to the greatest account of the question of knowing, inter alia, whether the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data which is not necessary for the execution of the said contract.” 117. Also, according to recital 43 of the GDPR, “consent is presumed not to have freely given if separate consent cannot be given to different personal data processing operations although it is appropriate in the present case". 118. Furthermore, Article 5.3 of the ePrivacy Directive, as transposed by Article 129 of the LCE, lays down the condition that the user "has given his consent" for the placement and the consultation of cookies on its terminal equipment, with the exception of the technical recording of information or the provision of a requested service expressly by the Subscriber or End User when placing a cookie is strictly necessary for this purpose. 119.As indicated above, a cookie is qualified as “functional” when it is indispensable for carrying out the sending of a communication via a communications network electronically or to provide an expressly requested service. 120. Recital 17 of this Directive specifies that for its application, the notion of "consent" shall have the same meaning as "consent of the person data subject", as defined and specified in the Data Protection Directive 95/46 20 now replaced by the GDPR. 121. In the Planet judgment49, the Court of Justice of the European Union clarified the requirement of consent for the placement of cookies following the entry into force of the GDPR and explained that explicit active consent was now required: 20Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data., Decision on the substance 11/2022 - 27/32 "Active consent is thus now expressly provided for by the Regulation 2016/679. It should be noted in this regard that, according to recital 32 of that regulation, the expression of consent could be done in particular by ticking a box when consultation of a website. That recital, on the other hand, expressly excludes there is consent “in the event of silence, default ticking or inactivity”. He it follows that the consent referred to in Article 2(f) and Article 5(3) of the Directive 2002/58, read in conjunction with Article 4(11) and Article 6(1), under a), of Regulation 2016/679, is not validly given when the storage information or access to information already stored in the terminal equipment of the user of a website is authorized by a box checked by default that the user must uncheck to refuse consent." 21 122. The consent must also be "specific". The Litigation Chamber refers to the 22 Guidelines on consent within the meaning of Regulation 2016/679 which have been ratified by the EDPB: "Article 6(1)(a) confirms that the consent of the person concerned must be given in connection with "one or more specific purposes" and that the 23 data subject has a choice “regarding each of these purposes”. This means "that a data controller who seeks consent for various purposes should provide separate consent for each purpose so that users can give specific consent for specific purposes." 24 123. More specifically, the user of the website should receive information among other things on the methods of expressing his will about cookies, and how he can "accept them all, accept only some or none". 25 124. For example, confirming a purchase or accepting terms and conditions is not sufficient therefore not to consider that the consent has been validly given to the placement or when reading cookies. Nor can consent be given for the sole "use" of cookies, without further details as to the data collected via these cookies or as to the purposes for which this data is collected. The GDPR requires, in indeed, a more detailed choice than a simple “all or nothing”, but it does not however require a 21 Planet49 stop, points 61 and 62 22Data Protection Working Party, Guidelines on Consent within the meaning of Regulation 2016/679, WP259, p. 4 23 Ibid, p. 14. 24 Ibid, p. 14. 25Data Protection Working Party, Working Document 02/2013, setting out guidelines on the collection consent for the deposit of cookies, p. 3, https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp208_fr.pdf, Decision on the merits 11/2022 - 28/32 consent for each cookie individually. If the manager of a site or a mobile application seeks consent for several types of cookies, the user must have the choice to give consent (or refuse) for each type of cookies, or even, in a second layer of information, for each cookie individually. 125. This position is also defended by the CNIL, which considers that the fact of “collecting a single consent for several processing operations simultaneously meeting distinct purposes (the coupling of purposes), without the possibility of accepting or to refuse purpose by purpose, is also likely to affect, in certain cases, the freedom of choice of the user and therefore the validity of his consent. » 26 126. The Litigation Chamber refers in this respect to the Guidelines of the Group of work on data protection on how to obtain consent. According to the Data Protection Working Party, consent must be obtained by 27 cookie or by cookie category. IV.7.2.2- Concerning the complainant's second grievance and the practice of the "cookie wall" 127. With regard to the complainant's second allegation (namely that he is obliged to accept cookies to be able to select his advertising preferences - and that he opposes the subsequent processing of his personal data by the defendant-), the Chamber Litigation recalls that consent must be free. Indeed, as indicated supra, the GDPR imposes to “take the greatest account of the question of knowing, between others, if the performance of a contract, including the provision of a service, is subject to the consent to the processing of personal data which is not necessary for performance of the said contract”. According to recital 42 of the GDPR, which clarifies the requirement of freedom of consent set out in its article 4, “consent should not be considered to have been freely given if the person concerned does not have genuine freedom of choice or is unable to refuse or withdraw his consent without prejudice”. 28 128. The EDPB condemns, in its recent guidelines, the practice which makes the provision of a service or access to a website to the acceptance of write operations or reading on the user's terminal, or "cookie wall". We thus read that "In order that the consent is given freely, access to the services and functionalities must not 26 Deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the amended law of 6 January 1978 to read and write operations in a user's terminal (in particular to " cookies and other tracers”) and repealing deliberation no. 2019-093 of July 4, 2019, points 17-19 27 Ibid. 28EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, 4 May 2020, point 39, p.13, Decision on the merits 11/2022 - 29/32 be conditioned on the consent of a user to the storage of information, or to the access information already stored on a user's terminal equipment". The EDPB adds, regarding consent, that: “The controller must demonstrate “that it is possible to refuse or withdraw consent without prejudice (recital 42). For example, the manager of the processing must prove that the withdrawal of consent does not generate costs for the person concerned and that there is therefore no obvious disadvantage for those who withdraw their consent. 47. Other examples of harm are deception, intimidation, coercion or any significant negative consequence if the person concerned refuses to give his consent. The controller should be able to prove that the data subject has real freedom of choice regarding the decision to whether or not to give consent and that it is possible to withdraw consent without suffer harm. 48. If a data controller is able to demonstrate that a service includes the possibility of withdrawing consent without suffering negative consequences, i.e. say without the quality of service being reduced to the detriment of the user, this can constitute proof that the consent was freely given. The GDPR does not exclude all incentives, but it will be up to the data controller to demonstrate that the consent was given freely in all circumstances.” 129. The guidelines include concrete examples: “49. Example 8: when a user downloads a mobile application from the category “lifestyle”, the latter seeks his consent to access the accelerometer of the phone. This access is not necessary for the operation of the application, but is useful for the data controller who wishes to know more about the movements and the activity levels of its users. When the user later withdraws her consent, she discovers that the application no longer works except in a restraint. This is an example of harm within the meaning of recital 42, which means that the consent was never validly obtained (and the controller must therefore have all personal data relating to the movements of the users collected in this way). 50- Example 9: A data subject subscribes to a newsletter of a fashion brand with general discounts. The retailer requests the, Decision on the merits 11/2022 - 30/32 consent of the person concerned to collect more data on his shopping preferences in order to adapt its offers to its preferences by based on their purchase history or a questionnaire completed on a voluntary basis. If the person concerned subsequently withdraws their consent, they will again receive non-personalized reductions. This is not a prejudice, since only the authorized incentive will have been lost. 51. Example 10: A fashion magazine gives its readers the opportunity to buy new make-up products before their official launch. 52. The products will soon be available on the market, but readers of this review benefit from an exclusive preview of these products. In order to take advantage of this advantage, readers must give their mailing address and consent to their registration on the journal's mailing list. The mailing address is required for shipping and the mailing list is used for sending commercial offers for products such as as cosmetics or t-shirts throughout the year. 53. The company explains that the data on the mailing list will only be used for the sending of products and advertising leaflets by the magazine itself and will not be in no way shared with other organizations. 54. If the reader does not wish to reveal his address for this purpose, he will suffer no prejudice as long as the products are still accessible to him. » 130. The Respondent responds to the grievance raised by the Complainant in its conclusions that it is indicated in several places on the site in question that the service provided via the tool of choice advertising preferences is based on the use of cookies sent by the companies participants, and that if the user does not wish to receive cookies, then he must not use the service. It states more precisely in its conclusions (p19): • “The very first page of the YOC Website (the one from which one can choose a country and language), contains a link titled “How does this website work?” , which leads to a page that says: “When using the check tool function, small text files called "cookies" are used by many of the companies listed to verify your current status and make the choice you wish to exercise. These files are essential to this function and help identify errors in its functionality. Yes you want to ensure that these cookies are not used, please see our, Decision as to substance 11/2022 - 31/32 five main tips for more details on how to manage cookies in the your browser's privacy settings. However, if you do, the tool control will no longer function effectively” (Exhibit 9 – pages 1 and 2). • The terms and conditions that govern the use of the YOC Website and the YOC Tool indicate that: “To be able to use the website (…), it is necessary that each of the companies participants places a cookie on your web browser (the preference cookie) to so that we can remember your selections. Information on the cookies are available in our privacy policy: […]. If you use the website (…) with another computer or browser, or if you erase/delete your cookies, we will not be able to remember your preferences. You will need to return on the website (…) to select your preferences again. Additionally, the website internet (…) will not work properly if your browser is configured to block cookies, as your preferences cannot be saved without use of the preference cookie” (Exhibit 9 – page 3). • The “Protection of your privacy” page indicates: “This website covers the European Union/European Economic Area (EU/EEA), as well as Switzerland and Turkey and includes easy-to-use functionality (to which any user can access from any of the countries of the list) that will disable online behavioral advertising for users (from participating companies) who will choose […] Please note that disabling the cookies for this purpose will prevent the control tool from functioning. » 131. The Litigation Chamber notes that the user is therefore well informed of the fact that the use of these preference cookies is necessary for the operation of the site, and that the site imposes the choice to accept this system or not to use the website. The Chamber emphasizes that this reasoning can only be followed insofar as it concerns strictly necessary cookies, these cookies do not require the consent of the the user. In this case, the processing subsequent to the placement of cookies is not based on consent, but on the legitimate interest of the data controller (Article 6.1.f) of the GDPR). 132. Conversely, this reasoning must be rejected in cases where it concerns cookies that are not strictly necessary. Indeed, the user must be able to accept or refuse, to each application and each website, the deposit of non-functional cookies without coercion, pressure or outside influence. This requirement implies, inter alia, that, Decision on the merits 11/2022 - 32/32 the user cannot be refused certain services or advantages on the grounds that he would not have not consented to the use of non-functional cookies. The user who refuses a cookie requiring consent must be able to continue to benefit from the service, such as access to a website. 133. In the present case, insofar as the cookie in question is strictly necessary, the complainant's grievance cannot be upheld. There is therefore no breach of Article 6.1.a) of the GDPR, linked to the practice of “cookie walls”. 134. Given the importance of transparency regarding the decision-making process of the Chamber Litigation and in accordance with Article 100.1, 16° of the LCA, this decision is published on the website of the Data Protection Authority by deleting the identification data of the parties, since these are neither necessary nor relevant in the context of the publication of this decision. FOR THESE REASONS, THE LITIGATION CHAMBER Decides, after deliberation: - On the basis of Article 100, § 1, 9° of the LCA, an order for compliance of the register of treatment of the defendant, as indicated above - On the basis of article 100, § 1, 5° of the LCA, a reprimand Pursuant to Article 108, § 1 of the LCA, this decision may be appealed to the Court of Markets (Brussels Court of Appeal) within 30 days of its notification, with the Data Protection Authority as defendant. (se). Hielke Hijmans President of the Litigation Chamber