APD/GBA (Belgium) - 85/2022
APD/GBA - 85/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 24 GDPR Article 5(3)(e) ePrivacy Directive |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 16.01.2019 |
Decided: | 25.05.2022 |
Published: | 25.05.2022 |
Fine: | 50.000 EUR |
Parties: | Roularta Media Group |
National Case Number/Name: | 85/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 85/2022 van 25 mei 2022 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA imposes a fine of €50,000 on a big media company for not respecting the legislation on cookies, namely: consent granting, denying and revoking, controller responsibilities and storage limitation.
English Summary
Facts
The Gegevensbeschermingsautoriteit is currently investigating the most consulted Belgian media websites concerning the basic principles of the GDPR and ePrivacy directive. This decision of Roularta Media Group is the first result of this investigation.
The investigation found that non-strictly necessary cookies were being placed on the device of the data subject, prior to consent being granted. This included statistical, analytical and marketing cookies. Also, statistical cookies could not be denied. Consent was also not actively granted, as the boxes to grant consent were preticked. Revoking consent was not possible, on the contrary, revoking consent placed more cookies.
The controller stated that statistical cookies are used for aggregated basic statistics, necessary for the business model of the website. No personal data is being processed for this activity, as such, the GDPR does not apply. Preticked boxes could also be used for access to the data for partner companies (no cookies being placed) and thus falls outside the scope of Planet49.
The investigation also found that the controller shuffled its responsibilities, claiming that they had no control over the cookies of third parties used on its website. The controller stated it cannot verify/control which cookies are being placed by advertisers through the Real Time Bidding platform it used.
Additionally, the investigation found that the cookie policy was severely lacking on several aspects: - Implicit consent is not valid for the usage of cookies - No consent was asked to further share the data collected through cookies - Lack of clarity - The cookies listed did not match the cookies placed - There is no retention period listed, or if there was, it was unreasonably long.
The controller retaliated that the DPA did not provide adequate guidelines for companies to comply with the GDPR on these aspects and as such, they are not to blame. The controller refers to other authorities such as the CNIL and the AP for doing this.
Holding
The DPA held that cookies can only be placed without consent in two scenarios i.e. when strictly necessary: 1) When the exclusive goal is to send communication (e.g. load balancing) 2) When the cookie is strictly necessary for the expressively asked service (e.g. shopping cart functionality)
All other cookies require consent, pursuant the GDPR.
The DPA held that active consent (e.g. ticking a box as per Planet49) is necessary for lawful processing of non strictly necessary cookiescookies, regardless of the capacity of the (third) party. The controller failed to show the strict necessity of the cookies placed. On the contrary, the controller stated that it did not possess the technical expertise to implement its Consent Management Platform. This is a breach of Article 4(11), Article 6(1)(a) juncto Article 5(3) ePrivacy Directive 2002/58/EC and Article 7(1)
With regards to statistical cookies, the DPA held that prior consent is again necessary. The unique identification number assigned to visitors or reading of the IP-adres can be seen as pseudonymising personal data, at minimum making data subjects indirectly identifiable and thus making the GDPR applicable. Additionally, it falls under the scope of Article 5(3) ePrivacy Directive 2002/58/EC as the cookies access the device. This is a again a of breach Article 6(1)(a) juncto Article 5(3) ePrivacy Directive 2002/58/EC.
The DPA held that there are numerous guidelines, on different levels available for companies to ensure compliance with the applicable legislation. On top of that, case law (also from the DPA in question) exists to further support this. It is the responsibility of the controller to comply with the law. Thus, the alleged absence of concrete guidelines in the context cannot be a useful argument against a breach of data protection legislation.
The DPA held that as a controller, you are responsible for the cookies which are being placed. The fact that the RTB platform used is based on a company with a near monopoly does not exempt a controller from its responsibilities. The controller could have chosen another platform. Referring to Wirtschaftsakademie, a controller is (jointly) responsible for the usage of cookies on its website. The controller breached Article 5(2) juncto Article 24 by denying its responsibilities when it comes to placing cookies.
The DPA held that the duty of information was breached by not informing the data subjects in a clear and transparent way about the usage of cookies. This is a breach of Article 13 and Article 14 juncto Article 12(1). It is the controller's responsibility to ensure the provided information on cookies aligns with reality. The DPA held that the controller breaches the principle of storage limitation by not proactively defining the criteria for a concrete storage limitation. This is a breach of Article 5(1)e
Lastly, the DPA held that denying consent must be as easy as providing consent. Technical problems during the revocation of consent prove that the correct technical measures have not been taken to ensure the processing has been done in a compliant way. This is a breach of Article 7(3)
The DPA fines the controller €50.000 for the above described breaches, as well as commanding the controller to get its processes in line with the GDPR and ePrivacy directive within 3 months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/58 Dispute room Decision on the merits85/2022 of 25 May 2022 File number : DOS-2020-03432 Subject: Use of cookies on Knacken LeVif's media websites (RoulartaMediaGroup) The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Christophe Boeraeve and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; In view of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, hereinafter WVP; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: † Defendant: Roularta Media Group, a public limited company under Belgian law, with . registered office at 8800, Roeselare, Meiboom, 33 and registered in the . Crossroads Bank for Enterprises under number 0434.278.896, represented by Master Tom De Cordier, with office at 1170, Watermael-Bosvoorde, Terhulpsesteenweg 178 (CMS)., Decision on the merits 85/2022 - 2/58 I. Facts procedure I.1. Investigation Inspection Service 1. On January 16, 2019, the Executive Committee of the Data Protection Authority (“DPA”) decides on pursuant to Article 63, 1° WOG, read in the light of Article 57, paragraph 1, points a) and h) of the GDPR, in order to submit a file to the Inspectorate in connection with the use of cookies on Belgian media websites. 2. In particular, it was decided to conduct a survey of the most consulted 1 Belgian news media: 1 HLN DPG Media nv http://hln.be/ NL 2 Het Nieuwsblad Mediahuis http://nieuwsblad.be/ NL 3 VRT VRT http://deredactie.be/ NL 4 Sudinfo Groupe Rossel http://sudinfo.be/ FR 5 La DH IPM Group SA http://dhnet.be/ FR 6 De Standaard Mediahuis http:// Standaard.be/ NL 7 RTBF RTBF http://rtbf.be FR 8 Gazet van Antwerpen Mediahuis http://gva.be/ NL 9 RTL Groupe RTL http://RTL.be FR 10 The Importance of Mediahuis http://hbvl.be/ NL Limburg 11 Le Soir Groupe Rossel http://lesoir.be/ FR 12 7 sur 7 DPG Media nv http://7sur7.be/ FR 13 La Libre IPM Group SA http://lalibre.be/ FR 14 De Morgen DPG Media nv http://demorgen.be/ NL 15 De Tijd MEDIAFIN NV http://tijd.be/ NL 16 l'Avenir Nethys.sa http://lavenir.net/ FR 17 VTM DPG Media nv http://vtm.be NL 18 Sudpresse Editions Groupe Rossel http://www.sudpressedigital.be/FR digitals 19 Knack Roularta Media http://knack.be/ NL group 20 Le Vif Roularta Media http://levif.be/ FR group 1According to 2019 figures from the Center for Information on the Media (CIM), Decision on the substance 85/2022 - 3/58 3. The aforementioned investigation related to the verification of the basic principles of the GDPR and the e-mail Privacy Policy on the use of cookies and in particular: - the clarity and accessibility of the information about cookies; - compliance with obtaining the user's consent for posting not strictly necessary cookies; - the (whether or not) placement of cookies that are not strictly necessary before the consent of the user has been obtained; - the possibility for the user to parameterize his acceptance of cookies (i.e. the possibility of differentiating options on a more general level), in in particular to refuse cookies intended for profiling for advertising purposes. The study was based on the following principles: - Further browsing is no longer accepted as it violates the GDPR; - To comply with the consent requirement, which implies a freedom of choice, the possibility to parameterize cookies and clear information about the purposes of the categories of cookies are provided; - For websites currently working with a parameter setting, the effectiveness of that parameter setting at a technical level. 4. On 7 October 2020, the inspection of the Inspectorate for the websites www.knack.be and www.levif.be and the file is transferred by the Inspector General to the Chairman of the Disputes Chamber, in accordance with art. 91, §1 and §2 WOG. 5. The inspection reports of the Inspectorate contain the following findings: 1. Placement of cookies that are not strictly necessary before consent was given obtained (potential violation of Article 6.1 a) GDPR): ▪ Article 6.1 a) GDPR and Article 129 of the law on electronic communication (WEC) determine that the consent of the data subjects is required before placing the cookies, except when it is strictly necessary cookies; ▪ The technical analysis of the Inspection Service shows that cookies are used installed before the data subject has been able to give his consent (for Knack 66 cookies and for Le Vif 60 cookies). These include third party, Decision on the merits 85/2022 - 4/58 cookies (48 for Knack, 44 for Le Vif). The technical report would also show that numerous analytical and marketing cookies have been registered. ▪ For both the Knack and Le Vif site, only 2 cookies were considered strict found necessary. 2. Statistical cookies are placed without permission (potential violation of article 6.1 a) GDPR): ▪ The cookie settings screen shows that Roularta Media Group on the websites of Knack and Le Vif considers statistical cookies as cookies that are not subject are subject to permission. After all, they are always active by default and cannot be turned off; ▪ First party “statistical” cookies are not necessarily subject to the exception of 'strictly necessary cookies' from Article 5.3 paragraph 2 of the e-Privacy Directive. The The Disputes Chamber ruled in a decision on the merits 12/2019 of 17 December 2019 that statistical cookies cannot be considered as cookies that are strictly are necessary to provide a service requested by a subscriber, in the sense of article 129 paragraph 2 WEC. It considered that the term “necessary” in accordance with the protection purposes of European data protection law be interpreted in the sense that this exception is only in the interest of the data subjects (website visitors) and not in the exclusive interest of the provider may be invoked by the information service. Even though website operators find that these cookies are indispensable for the provision of their service, they are per se not absolutely necessary to provide the information requested by the website visitor 2 provide information services. ▪ However, in the same decision, the Disputes Chamber did not exclude that certain statistical cookies are strictly necessary under certain conditions cookies would be for the provision of a requested by the data subject service, for example to detect a navigation problem. Of these, in this case, however, is not the case. 3 3. Pre-ticked boxes for the partners (potential violation of Articles4.11, 6.1 a) and 7.1 GDPR): ▪ The GDPR requires a “statement or unequivocal active act” (Article 4.11 GDPR), which means that all presumed consents based on a more 2 GK, Decision on the merits 12/2019 of 17 December 2019, https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf, 3Ibid., Decision on the merits 85/2022 - 5/58 implicit course of action of the data subject, not in accordance with the standards of the consent of the GDPR. The Inspectorate bases itself on the Planet49 judgment from which it became clear that Article 2. F (definition of consent) and Article 5.3 (consent for cookies) of the ePrivacy Directive, should be read in 4 in conjunction with Article 4.11 and Article 6.1 a) of the GDPR. The Court of Justice subsequently ruled that consent was not validly granted when the storage of information by means of cookies or access to already on the terminal equipment of the website user stored information via cookies is allowed by default checked checkboxes which the user must tick if he refuses to give his consent; 5 ▪ The technical analysis shows that the cookies of partner companies are set to being active; ▪ The Inspectorate also establishes that the defendant also does not comply with the obligation of Article 7.1 of the GDPR which imposes on him to demonstrate that the data subject has given his consent to use cookies that are not strictly necessary to place. 4. Disclaimer for third party cookies (potential violation of Article 5.2 a) and 7.1 GDPR): ▪ According to the Inspectorate, Roularta Media Group is trying to disclaim responsibility for third-party cookies that visit to the sites of Knack and Le Vif; ▪ For example, the cookie policy states that Roularta Media Group is not responsible for cookies that are placed and managed by third parties (including to make it possible share information through social networks). The cookie policy also states that Roularta Media Group has no control over certain cookies that are placed on its website are used. ▪ The Inspectorate refers to the judgment in this regard Wirtschaftsakademie of the Court of Justice which held that the owner of a website is responsible for the processing of cookies that 4Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49 (hereinafter: "Judgment Planet49"), paragraph 65: “In view of the foregoing, the answer to question 1(a) and (c) is that Article 2(f) and Article 5(3) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and with Articles 4(11) and 6(1) point (a) of Regulation 2016/679, must be interpreted as meaning that the authorization referred to in those provisions does not legally valid is granted when the storage of information by means of cookies or access to the terminal equipment of the user of a website information stored via cookies is allowed by means of a ticked by default checkbox that this user should uncheck in case he refuses to grant his consent.” 5Ibid., Decision on the merits 85/2022 - 6/58 installs or reads its website. At the very least, he participates in determining the purposes and means of processing the personal data of the visitors of its website through third-party applications on its website or the dissemination of the content of third parties in the advertising spaces of its website 7 to allow. ▪ Subsequently, the Inspectorate refers to the accountability principle in Article 5.2 of the GDPR showing that the controller is responsible for compliance with the principles governing the processing of personal data and that he must be able to demonstrate compliance with these principles be taken. ▪ This practice used by Roularta Media Group should also be seen as a violation of Article 7.1 GDPR, as a controller must demonstrate that the data subject has given permission for the posting of all cookies that are not strictly necessary. 5. Wrong and faulty information (potential violationart.4.11,12.1,13and14ofthe GDPR). ▪ The Roularta Media Group cookie policy contains provisions that are not in comply with the GDPR. For example, the cookie policy speaks of implicit permission for cookies via access to the websites of Roularta Media Group, which conflicts with the need for an expression of will by a clear statement or affirmative action in accordance with Article 4.11 GDPR. Also, note that for sharing data collected through cookies no specific permission is required, which is contrary to the specific character of the consent to data processing in accordance with Article 4.11 of the GDPR; ▪ The cookie policy would also lack clarity about the necessity of the use from third party cookies due to technical problems that have been going on for more than a year last for years; 6 Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, para. 39: “In this circumstances, it must be considered that the administrator of a fan page on Facebook, such as Wirtschaftsakademie, has been define institutions according to, in particular, its target audience and objectives for the management or promotion of its activities, participates in the determination of the purposes and means of the processing of the personal data of the visitors to his fan page. For this, this manager must, in this case, be regarded as a controller within the Union, jointly with Facebook Ireland, for this processing, within the meaning of Article 2(d) of Directive 95/46.” 7Ibid., Decision on the merits 85/2022 - 7/58 ▪ The Inspectorate also notes that the names of the types of cookies in the cookie policy do not match the names of the cookie categories in the cookie setting tool, which does not improve comprehensibility; ▪ In addition, the cookie policy does not include information about the storage periods of cookies. After all, the cookie policy would mention a unlimited storage period for cookies; ▪ The cookie policy states that the partners use the “IAB Europe” Transparency & Consent Framework” that would ensure that third parties comply with the GDPR comply. However, of the 449 partners that are on the Knack and Le Vif sites mentioned, 312 have not been validated or are no longer validated by IAB; ▪ The fact that the user must follow the policies of the 449 sellers (“vendors”) to find out what these companies do with his data and make an informed decision on that basis to obtain his/her consent giving is more than illusory and impracticable. In addition, this will likely lead to place even more cookies when visiting the links to this one partners; ▪ Finally, it is noted that cookies are not individually documented, making the user unable to control what happens to their data is being done. 6. Unjustified storage periods of cookies (potential violation of article 5.1e) of the GDPR): ▪ The Inspection Service refers to article 5.1e) AVG, which stipulates that cookies should not be kept for longer than is necessary to achieve the purpose. This one retention period may therefore not be indefinite. The information that becomes collected and stored in a cookie and the information collected as as a result of reading a cookie should be deleted if it is not longer is needed for the intended purpose. A cookie that is exempt from the consent requirement must have a lifetime that is directly related with the purpose for which it is used and must be set up to expire as soon as it is no longer necessary, taking into account the reasonable user expectations. Cookies that are exempt from the consent requirement will therefore generally have to expire when the 8 browser session ends or even earlier ; 8 See “The lifespan of cookies” and the “Questions” in the theme file “Cookies” on the website of the GBA, https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies., Decision on the merits 85/2022 - 8/58 ▪ The technical analysis report shows that the effective storage periods are unreasonable are long and that cookies have a lifespan of several years. It cookie policy mentions a storage period that is in principle unlimited. 7. Non-compliance with the withdrawal of consent (potential violation of Article 7.3 GDPR): ▪ Article 7.3 of the GDPR provides that the data subject has the right to give his/her consent withdraw at any time; ▪ The technical analysis shows that the withdrawal of consent is not is effective. The technical analysis of the Knack site shows that the number cookies does not decrease after returning to minimal choices. The Inspection Service states established that if she withdraws her consent again, there will be no change in the 9 amount of cookies loaded, on the contrary, the number of cookies increases. From the technical analysis of the Le Vif website shows that it is impossible to operate the cookie management tool after the first consent has been given. 6. On November 6, 2020, the Disputes Chamber requests the Inspectorate on the basis of Article 94, 2° and 96, § 2 WOG for additional information regarding the technical investigation reports. 7. On November 30, 2020, the additional investigation will be completed and the Inspectorate will provide an additional investigative report to the Disputes Chamber. I.2.The procedure before the Disputes Chamber 8. On 21 December 2020, the Disputes Chamber decides on the basis of Article 98 WOG that the file ready for treatment on the ground. 9. On December 21, 2020, the defendant will be notified of this decision, as well as the inspection report and the inventory of the documents in the file submitted by the Inspectorate was transferred to the Disputes Chamber. The defendant is also under Section 99 WOG notified of the deadlines to submit its defenses. The deadline for receipt of the defendant's response was laid down on February 9, 2021. 10. On January 6, 2021, the Disputes Chamber will receive a letter from the defendant's counsel. In the aforementioned letter requests the defendant for a copy of the file (art. 95, § 2, 3° WOG) and it asks the Disputes Chamber to be heard in accordance with Article 98 WOG, in order to: to explain its defenses orally. 9See page 46 of the De Knack Inspection Report: “Between step 24 “everything” and step 26 “minimum”, the number of cookies not finished”., Decision on the substance 85/2022 - 9/58 11. On January 18, 2021, the Disputes Chamber will send a copy of the file to the defendant. 12. On 9 February 2021, the Disputes Chamber receives the statement of defense from the defendant. Following is the summary of pleas and arguments formulated by the defendant in that conclusion. 13. In its reply, the defendant points out, first, that there are some inaccuracies were during the GBA's investigation. ▪ Means 1: the investigation was not carried out according to the rules of the art of are applicable. o The manual cookie scans are missing essential elements, namely the list of URLs visited and specific requests related to the placement of cookies. This makes it impossible for Roularta Media Group to determine which URLs were visited during the study and whether these URLs were limited to Roularta and whether cookies were already present during each consent scenario or were placed. o Cookiebot and Onetrust were used as classification mechanisms (both do not provide information and methodology on the used classification method). o In addition, the Inspectorate used a free version of both mechanisms which does not contribute to the credibility of the research. o Finally, OneTrust and Cookiebot's ratings show conflicts, and nowhere in the study is it clarified how these are resolved when the mechanisms are applied to Roularta's cookies. o Unclear terminology: “no technology”, “further browsing”, “CMP”, “cookiewall”, “persistent banner”, “non-permanent banner”. o Unprofessional tooling: both WEC and Cookie Manager are immature github repositories according to any software development standard. Although the WEC it bears the stamp of approval of the EDPB, this repository is exclusively developed by Robert Riemann, IT Policy Officer at the European regulator for data protection (EDPS), and is not actively maintained, assuming on the number of recent pull requests and open issues. Also Cookie Manager was developed by a private individual (Rob Wu) who has no specific privacy or has security background., Decision on the merits 85/2022 - 10/58 ▪ Means 2: the document uses sources/tools that are not official o The sources for the cookie format cannot be verified, and the documented sources are not reliable. Both OneTrust and Cookiebot have built their own cookie classification database that controllers supported by their understanding of cookies and bootstrap during implementation of a CMP. o Regarding OneTrust: the classifications are based on the guidelines of the ICC in the UK, which are no longer available, and supplemented by "a layer of simple rules that allow clearer decisions to be made in certain edge case scenarios, and a methodology for the classification of best practices when further information on the use of certain cookies is not otherwise available". o As for Cookiebot: Owned by Swedish privacy company Cybot, gives only indicates that the company maintains a global cookie repository without methodology and sources. o The credibility of these classifications is further affected by the fact that the Researcher uses free versions of both Cookiebot and OneTrust aiming to encourage users to subscribe to a full subscription to buy. o Reference to website gdpr.eu for definition of strictly necessary cookies: website is owned by the Swiss company Proton Technologies AG. The Inspectorate could also refer to the correct legislation. o Ratio of third-party cookies: The inspectorate claims that the ratio between first and third party cookies in the context of strictly necessary cookies serves as proxy for potential breach. While there is absolutely no causal relationship between the purpose of a cookie and domain ownership. o Manual cookies do not contain time stamps. As a result, Roularta cannot verify whether these cookies are actually placed in sequence and which ones cookies are added after a specific permission setting. 14. The defendant then addresses the findings of the Inspectorate: ▪ Fix 1: placement of non-strictly necessary cookies before consent was obtained, Decision on the substance 85/2022 - 11/58 o Roularta states in its conclusions that it cannot verify which cookies are on the time of the findings were effectively placed. She declares that by lack of technical knowledge at Roularta there was a poor implementation from OneTrust. Cookies that would have been placed by advertisers should normally follow the consent obtained through the IAB TCF passed. According to Roularta, however, it is very difficult to permanently check whether all IAB vendors adhere to the agreements of the IAB TCF. o Roularta does indicate that in 2021 it will bring all news and content websites under one Roularta domain so that this problem is much better controlled can become. ▪ Fix 2: statistical cookies without permission o According to Roularta, placing statistical cookies before permission was obtained in accordance with art. 6.1 a) GDPR. This is due to the fact that the The purpose of placing these statistical cookies is to provide aggregated collect basic statistics about the use of its websites, which means is necessary for the business model of the websites: ▪ advertisers must be trusted and certified by the CIM (Centre for Information about the Media) controlled visitor figures available be asked; ▪ on the other hand, editors must be able to read the result of online to measure published articles in order to be able to continuously evaluate and adjust. o Defendant refers to the fact that aggregated data outside the scope of the GDPR. o In addition, the DPA had not yet published official guidelines on the obligation to obtain permission to place statistical cookies. Defendant then refers to the position of both the CNIL (French Authority) and the AP (Dutch Authority) regarding statistical cookies. It states that it maintains its practice with regard to statistical cookies inspired by the recommendations of the CNIL and the AP. Corresponding own interpretationswasRoularta's practice with regard to statistical cookies in compliance with the WEC and the GDPR. ▪ Identification 3: pre-ticked boxes for the partners, Decision on the substance 85/2022 - 12/58 o Roularta believes that the use of pre-ticked boxes is a valid permission. o Partner companies within the OneTrust Consent Management Platform were default to "active", but Roularta clarifies that this does not mean that cookies were installed by those partner companies. So it wasn't about a permission to place cookies, but about a permission for give a number of partner companies access to data for one or more purposes. For example, if the data subject did not accept advertising cookies, then these partner companies would also not be able to place advertising cookies. o Roulartai's view, in the light of the case law of the Court of Justice in the judgment Planet49, that the practice whereby cookies from partner companies are being “active” constitutes a valid consent within the meaning of Articles 4.11 and 6.1 a) GDPR. o Roularta points out that they have switched to the Didoma Consent Management Platform in March 2020, and now none of the partner companies is still automatically set to “active” and the user always has to make an active choice to make. ▪ Fix 4: Disclaimer for Third Party Cookies o Roularta states that it is not responsible for the processing of cookies used by third parties are placed within the framework of the IAB TCF. o The defendant relies on the IAB Europe investigation for its argumentation: “Belgium's Data Protection Authority found IAB Europe's Transparency and Consent Framework does not meet several standards under the EU General Data Protection Regulation, TechCrunch reports. The DPA determined the framework fails to comply with the GDPR's principles of transparency, fairness and accountability. IAB Europe said in response it “respectfully disagree[s] with the [Belgian DPA]'s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers' implementation of the TCF [Transparency & Consent Framework (TCF)'". o Subsequently, the defendant argues that, should the DPA come to a different conclusion, its practices nevertheless comply with Article 5.2 of the GDPR. The accountability means “(I) the need for a for the controller to take appropriate and effective measures to implement the principles of data protection…” No guidelines have been published by the DPA clarifying what, Decision on the merits 85/2022 - 13/58 is meant by a minimum of appropriate and effective measures. In addition, Roularta has chosen to use the IAB Framework described as “the most sophisticated and scrutinised” model of GDPR compliance for digital advertising in the world”. o Roularta clarifies that the disclaimer was not intended to shuffle off responsibility but give more to indicate that they are not is able to block cookies placed by third parties. o With regard to elements II and III of Article 5.2 of the GDPR: “(ii) the need to request demonstrate that appropriate and effective measures have been taken. The controller must therefore be able to provide evidence of (i) above”. Defendant admits that the statement in the cookie policy that “Roularta Media” Group is not responsible for the cookies placed by third parties and managed, among other things, to make it possible to share information via social media networks” and that “Roularta Media Group has no control over certain cookies used on its website” which was worded in an unfortunate way. Defendant argues that it was not so much the intention to disclaim responsibility to indicate that Roularta is technically unable to accept cookies block those placed by some third parties (in this case: advertisers) become. Advertisers and agencies, when an ad campaign is on one of the Roularta sites is shown, via those campaign cookies or scripts launches that are impossible for Roularta to know in advance. Roularta states in its conclusions that the statement in the cookie policy in issue was removed because it can be turned into TCF framework since the IAB assumed that IAB vendors no longer use cookies or scripts in accordance with this framework unless there is permission for both the cookies and the vendor involved approved in the list of partner companies. ▪ Conclusion 5: wrong and faulty information Regarding the statement “.. the lack of clarity in the cookie policy regarding the necessity of using third party cookies is due to technical problems”: o Position of Roularta: At the time of adoption by the GBA, this problem has already been solved but it was still in the privacy policy. At, Decision on the substance 85/2022 - 14/58 update of the cookie policy on June 23, 2020 this entry was removed. Specifically, the problem was that Knack used a new registration system since November 2018. This registration system used functional cookies, to ensure that users do not have to log in again and again sign in. Technically, this cookie was a third-party cookie. It turned out be a problem for users who default third party cookies refused (they had to re-register each time). This problem became raised with the supplier of the registration system with a view to a quick solution. A solution was sought, but turned out to be more difficult than thought. They had to find a way in which people who are only first-party accept cookies can remain logged in on the website. About the mismatch of the names of the cookies in the cookie policy, on the one hand, and the categories of cookies in the cookie setting tool, on the other hand: o Roularta's point of view: Roularta had no choice but to terms used by IAB TCF on its consent tool (on penalty of exclusion from the TCF). About the fact that the cookie policy would not contain any information regarding the storage periods: o See statement of defense about determination 6. Regarding the listing in the consent management tool related to the use of the “IAB Europe Transparency & Consent Framework”: o The statement and brief explanation were only intended to provide transparency create and inform the user about how Roularta want to control the use of cookies, namely by joining a internationally recognized standard within the digital advertising world. Regarding the fact that the user of the website has followed the cookie policy of the 449 should consult vendors to get an idea of what's happened with her data: o An obligation imposed on it by the IAB TCF. With regard to not individually documenting the cookies: o Fixed in the meantime by an update of the cookie policy. ▪ Statement 6: Unjustified storage periods of cookies, Decision on the merits 85/2022 - 15/58 o Here again, the defendant refers to the lack of precise guidelines as to what concerns the lifespan of cookies. o She states that this makes it very difficult for companies to (1) understand what the lifespan is when cookies “should not be kept longer than the time” necessary to achieve the intended purpose” and (2) their practices must adjust to comply with the GBA. o The Inspectorate also incorrectly stated that no information about the storage period of cookies can be found in the privacy policy (piece 8): “La durée the conservation variety de cookie à cookie, en général les cookies sont stockés jusqu'à ce que l'utilisateur supprime les cookies (...)". Paragraph 11 of the privacy policy(Part8)in factcontainstwotypesofinformationabouttheretention time of cookies: (i) the fact that the duration varies from cookie to cookie (ii) the fact that the user can disable cookies, resulting in zero retention time (since cookies are not active). It is therefore incorrect to state that Roulartaeen has a retention period, which is in principle unlimited. It is correct that there is no concrete information could be found about the storage period of cookies, but it goes too far that the Inspectorate equates this with an unlimited duration. o Defendant also refers to an amended privacy policy on June 23, 2020, where now a detailed description of the retention period can be found to find. ▪ Notice 7: Non-compliance with the withdrawal of consent o This was due to the technical difficulties related to the use of the cookie tool OneTrust. The problem was solved by implementing the Consent Management Platform Didomi. o Withdrawing consent should be as easy as giving it of it:Roulartaprovides a simple and easily accessible tool, and without lowering the level of service. o In addition, Roularta cannot effectively remove a particular cookie itself from the device, this should be done by the person concerned. o In summary, the consequence of withdrawing consent is: “it blocking and subsequent deletion of cookies in the browser of the user, no more data processing will take place”. The cookies will still be installed on the user's device, but they will be inactive and no longer functional., Decision on the merits 85/2022 - 16/58 15. On December 6, 2021, the Defendant will be notified that the hearing will be take place on December 17, 2021. 16. On December 17, 2021, the defendant will be heard by the Disputes Chamber. 17. On 23 December 2021, the minutes of the hearing will be sent to the counsel of the submitted to the defendant. 18. On January 6, 2022, the Disputes Chamber will receive the defendant's comments with with regard to the official report, which it includes in its deliberations. 19. On April 20, 2022, the Disputes Chamber notified the defendant of its intention to proceed with the imposition of an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to defend itself before the sanction takes effect is imposed. 20. On 11 May 2022, the Disputes Chamber will receive the defendant's response to the intention to the imposition of an administrative fine, as well as the amount thereof. II. Justification II.1. Competence of the Data Protection Authority 21. In accordance with Article 4, §1 WOG, the Data Protection Authority is “responsible for” monitoring compliance with the basic principles of data protection, within the framework of this law and of the laws containing provisions for the protection of the processing of personal data.” From the wording of the Explanatory Memorandum of the WOG shows that the competence of the GBA must be interpreted very broadly: “The Data Protection Authority acts with regard to legislation that contain provisions regarding the processing of personal data, such as, for example the law regulating a national register, the law establishing and organizing a Crossroads Bank for Social Security, the Act establishing a Crossroads Bank for Enterprises, etc.” 10 It can be deduced from the foregoing that the intention of the legislator was to make the GBA a confer general and horizontal competence with regard to the protection of personal data. The GBA therefore not only has supervisory powers with regard to the GDPR, 10Belgian Chamber of Representatives, Draft law establishing the data protection authority, 23 August 2017, DOC 54 2648/001, 13., Decision on the merits 85/2022 - 17/58 but also with regard to other legislation relating to the processing of personal data. 22. With regard to the use of cookies, reference should be made in this regard to the European Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and protection of privacy in the electronic communications sector (“e-mail privacy directive"), which has been partially transposed in Belgian law by the Electronics Act Communications (WEC). In particular, Article 5(3) of the ePrivacy Directive is important in this regard, such as converted at the time into (former) Article 129 WEC (cf. infra). The first provision reads as follows: "Member States shall ensure that the storage of information or the obtaining of access to information already stored in the terminal equipment of a subscriber or user, is only allowed on the condition that the subscriber or user concerned has consent has provided, after having been provided with clear and complete information in accordance with Directive 95/46/EC, including on the purposes of the processing. This does not constitute a prevent any form of technical storage or access for the sole purpose of carrying out the transmission of a communication on an electronic communication network, or, if strictly necessary, to ensure that the provider of a service expressly requested by the subscriber or user of the information society provides this service.” 23. With regard to the jurisdiction of the Disputes Chamber with regard to the e-Privacy Directive and the WEC refers the Disputes Chamber to its previous decisions 12/2019 of 17 December 2019, 19/2021 of February 12, 2021, 24/2021 of February 19, 2021 and 11/2022 of January 21, 2022. 24. The Disputes Chamber furthermore emphasizes that as a body of the GBA it is competent to rule on the legality of personal data processing activities in accordance with Article 4, §1 WOG, as well as Article 55 GDPR, and this in the light of Article 8 of the Charter of Fundamental Rights of the European Union. 25. Furthermore, at the time of the Inspectorate's findings, under Belgian law, the Belgian Institute for Postal Services and Telecommunications (BIPT) the competent authority for the law on electronic communications (WEC), including Article 129 of that Act, which implements Article 5(3) of the ePrivacy Directive. Nevertheless, the concept depends consent under the ePrivacy Directive inseparable from the requirements of consent under the GDPR, which was also clarified in guidelines regarding consent by the WP29 as 11 legal predecessor of the European Data Protection Board (hereinafter: “EDPB”). 1EDPB, Guidelines 5/2020 on consent in accordance with Regulation 2016/679, 4 May 2020, inter alia para. 7., Decision on the merits 85/2022 - 18/58 26. In addition, in this regard, particular reference should be made to Opinion 5/2019 of the EDPB on the interaction between the ePrivacy Directive and the General Regulation Data protection, in which the EDPB states: “The data protection authorities are empowered to enforce the GDPR fact that a sub-part of the processing within the scope of the e-mail Privacy Directive, limits the powers of data protection authorities not under the GDPR”.12 27. In the aforementioned opinion, the EDPB states that the provisions of the ePrivacy Directive are after all “clarify and complete” with regard to the processing of personal data in the sector of electronic communications, with a view to ensuring compliance with the Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 5, paragraph 3 of the ePrivacy Directive is hereby cited as an example of such a “specification provision”. 28. That the provisions of the ePrivacy Directive - as well as its transposition provisions - as a clarification of and addition to the provisions of the GDPR should be considered, is also explicitly confirmed in the Explanatory Memorandum to the WEC bill: “Section 2 of Chapter III of Title IV is mainly devoted to the transposition of Directive 2002/58/EC of 12 July 2002 of the European Parliament and of the Council on the processing of personal data and the protection of privacy in the electronic communications sector (the so-called «Privacy Directive and electronic communication», hereinafter referred to as: «the Privacy Directive»). The provisions of this department set up a specific privacy protection regime in some places, adapted to the characteristics and needs of the electronic communication.Other placestheprovisionsofthisdepartmentmustbeseen as a supplement to the provisions of the Act of 8 December 1992 on the protection of privacy with regard to the processing of personal data (hereinafter referred to as: “the Privacy Act”).” 15(own underlining) 29. In its judgment Planet49, the Court of Justice also ruled that the collection of cookies as processing of personal data can be considered. The Court confirmed in the aforementioned judgment that the intent of Article 5(3) of the ePrivacy Directive is to “tell the user protect against interference in his private life, whether or not that interference relates to 12EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation, with in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 69. 13 Ibid, edge no. 38. 14Ibid, edge no. 41. 15 Bill on Electronic Communications, Parl. St. Kamer, DOC 51 1425/001, p. 73. The current Article 129 is in the draft law article 138. 16 Judgment Planet49, § 45., Judgment on the substance 85/2022 - 19/58 personal data". Furthermore, the Court of Justice stated that Article 5(3) of the ePrivacy Directive must be interpreted in the light of the GDPR, and in particular Articles 4.11, 6.1 a) (consent requirement) and 13 GDPR (information to be provided). 30. In this regard, the Disputes Chamber also refers to the proposal for the e-Privacy Regulation in which provides that the supervision and compliance with the Regulation will be entrusted to the supervisory authorities responsible for the supervision of Regulation (EU) 2016/679. 18 31. Finally, the Disputes Chamber points out that since the entry into force of the Act of 21 December 2021 transposing the European Electronic Communications Code and amendment of various provisions on electronic communications on January 10, 2022 the DBA is henceforth competent, in accordance with Belgian law, for the supervision of the provisions relating to the placement and use of cookies (i.e. “storing information or gaining access” to information already stored in a subscriber's or user's terminal equipment"). The aforementioned law brought changes to the WEC, among other things. In particular, Article 256 provides for the law of December 21, 2021 the abolition of article 129 WEC and the transfer of this provision according to the law of 30 July 2018 on the protection of natural persons with 19 regarding the processing of personal data (WVP). Article 10/2 WVP now reads as follows: “In application of Article 125, § 1, 1°, of the Law of 13 June 2005 on electronic communication and without prejudice to the application of the Regulation and this law, the storage of information or accessing information already stored in the a subscriber's or a user's terminal equipment is permitted only on the condition that: 1° the subscriber or user concerned, in accordance with the conditions laid down in the Regulation and in this law, get clear and precise information about the purposes of the processing and its rights under the Regulation and this law; 2° the subscriber or end user has given his consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the terminal equipment of a subscriber or an end user with as the sole purpose of transmitting a communication via an electronic communications network 1Judgment Planet49, §69. 18Article 18, Proposal for a Regulation of the European Parliament and of the Council on respect for the privacy and the protection of personal data in electronic communications, and repealing Directive 2002/58/EC, COM/2017/010 final. 19Law of 21 December 2021 transposing the European Electronic Communications Code and amending various provisions on electronic communications, Belgian Official Gazette 31 December 2021., Decision on the merits 85/2022 - 20/58 perform or provide a service expressly requested by the subscriber or end user when this is strictly necessary.” In view of the fact that the GBA has the residual competence to supervise the provisions of the WVP, the material competence of the GBA with regard to the placement and use of cookies confirmed. 32. The Disputes Chamber points out, however, that, in view of the fact that this amendment dates from after the conclusion of the debates in the present case, in this case further account will be taken of the legislative framework as it existed at the time of the (start of) procedure before the GBA. 33. In any case, the GBA is therefore competent to judge – also under the legal situation that applied at the time of at the time of the determinations of the Inspectorate – to judge the legal validity of a given permission to place cookies. In that sense, the GBA is also authorized to: to exercise its powers of control over all other terms and conditions that are imposed by the GDPR for activities involving the processing of personal data – such as 20 the obligations regarding transparency and information (Article 12 et seq. GDPR). II.2. Introduction to the general principles regarding the use of cookies 34. Before discussing the findings contained in the report of the investigation, the Litigation Chamber it is useful to understand the general principles regarding the use of cookies and other means of tracing. 21 35. The term "tracking tools" includes cookies and HTTP variables, which may be placed via web beacons or web pixels, flash cookies, access to terminal information from APIs (Local Area Network), and information from APIs (LocalStorage, IndexedDB, advertising identifiers such as identifiers such as IDFA or Android ID, GPS access, etc.), or any other identifier generated by a software or an operating system (serial number, MAC address, unique terminal identifier (UDI), or a set of data used to uniquely identify the terminal (e.g. via fingerprints). 36. Cookies and other tracking devices can be distinguished by various criteria, such as the purpose they serve, the domain in which they are placed, or their lifespan. 20Comparison about the scope of this control power as well as the judgment of the EU Court of Justice of 15 June 2021, C-645/19, ECLI:EU:C:2021:483, para. 74. 21 See also the theme page on the website of the Data Protection Authority, available at: https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies, Decision on the merits 85/2022 - 21/58 37. Cookies can be used for various purposes (for example, to support the communication over the network, for audience measurement, for marketing and/or behavioral advertising purposes, for authentication purposes, etc.). 38. They can be used, inter alia, to support communication over the network (login cookies), to measure the audience of a website (visitor number cookies, also called referred to as "analytical cookies" or "statistical cookies"), for marketing and/or advertising based on of behaviour, for authentication purposes, for website security, for load balancing, to personalize the user interface or to allow the use of a media player to create (flash cookies). 39. Cookies can also be distinguished based on the domain through which they are stored placed on your device. The "first party" cookies are placed directly in the address bar of the browser by the registered domain. In other words, it concerns cookies that owner of the website you are visiting. The "third party" cookies are posted by a domain that is different from the domain you are visiting. This is the case when the website incorporates elements from other websites, such as images, social media “plugins” (for example, the Facebook “like button”) or advertisements. When this elements retrieved by the browser or other software from other websites may these websites also place cookies that can then be read by the websites that have them posted. These "third party cookies" enable these third parties to track the behavior of the tracking internet users over time and across numerous websites and based on this to create data profiles of people (profiling), so that they can be used in the future, for example be able to place more accurate and targeted marketing during the future surfing sessions of these internet users, who are traced in this way. 40. Cookies can be further distinguished according to their lifespan. In this regard, made a distinction between "session cookies" and "persistent cookies". Session cookies become deleted automatically when you close your browser, while the "persistent cookies" are in your device (computer, smartphone, tablet, etc.) remain stored until a predetermined expiration date (which can be expressed in minutes, days or years, if applicable). 41. Furthermore, from a legal point of view, a distinction must be made between, on the one hand, the means of tracking which require the prior consent of the user and, on the other hand, those for which it is not required. 42. In accordance with article 129 WEC, there are two situations in which for the setting or reading of cookies 22 no prior consent should be obtained from the data subject: 22In so far as relevant, Section 129 WEC reads as follows: “The storage of information or the gaining of access to information that is already stored in the terminal equipment of a subscriber or a user is only permitted on the condition that […] 2° the subscriber or end user has given his consent after being informed in accordance with the provisions in 1°. The first paragraph is, Decision on the substance 85/2022 - 22/58 1) when the cookie has the sole purpose of sending a communication via a electronic communications network (for example, load balancing cookies); and 2) when the cookie is strictly necessary to enable an express by the subscriber or end user to provide the requested service (such as, for example, cookies that enable the shopping cart or cookies that are used to ensure the security of a banking application). 43. For the placement of other cookies and tracing means, the prior User consent is required, in accordance with Article 129 WEC. 44. This includes cookies or other tracking devices that enable the display of (personalized) advertising or related features for sharing on social networks. Bee In the absence of a valid consent, these not strictly necessary cookies cannot be used on the device of the user are placed or read. 45. The Disputes Chamber points out that, in order to be in accordance with the GDPR, the aforementioned consent should be informed, specific and free and that the user can do it just as easily must be able to revoke if it was given (cf. also infra title II.5.6). II.3. As to the alleged lack of guidance 46. In its response, the defendant argues that cookie compliance is a technical and is a complex subject that requires both technical and legal expertise. She argues that the GBA would not have provided sufficient support to companies to comply with applicable regulations to apply correctly. 47. More specifically, the defendant argues that the GBA, at the time of the findings by the Inspection service in this file, had not issued any guidelines regarding the use of cookies. This is in contrast to the French supervisory authority (CNIL). 48. The Disputes Chamber points out that both at the level of the European Union and at the Belgian level, advice and positions from authorities already existed regarding cookies under the e-mail privacy directive many years before 25 May 2018. 23 At the European level, the Working Group Article 29 in 2012 expresses an opinion on the exceptions for consent for cookies. 24 on at the Belgian level, the legal predecessor of the GBA, the Commission for the not applicable for the technical storage of information or access to information stored in the terminal equipment of a subscriber or end user for the sole purpose of transmitting a communication over an electronic communications network or to provide a service expressly requested by the subscriber or end user when doing so is strictly necessary for this." (the Disputes Chamber underlines) 23 Pursuant to Article 99 of the GDPR, the Regulation has been in force since that date. 24 WP29, Opinion 04/2012 on Cookie Consent Exemption (“Opinion 4/2012 on waiver of the consent obligation for cookies”), 7 June 2012, WP194, available at: https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2012/wp194_en.pdf., Decision on the merits 85/2022 - 23/58 Protection of Privacy (“CPP”), guidelines already in 2015 regarding the use of cookies. 25Furthermore, at the time of the determination of the Inspectorate, and there are currently many guidelines and advice that are directly relate to the situation regarding cookies that occurs in this file, such as guidelines on legal consent. 26 49. It is indeed true that the legal situation, as well as the technical possibilities with and for cookies, have changed since the entry into force of the GDPR. The Disputes Chamber has already 2019 made its first decision on cookies, which was also published on the website of the Data Protection Authority. 27 50. Although the Disputes Chamber clearly recognizes that both the EDPB and the GBA itself as supervisory authority have powers to formulate opinions and guidelines and publication in connection with the protection of personal data, the Disputes Chamber points out points out, however, that this is part of the tasks and competences of those institutions, and not in itself 28 is an obligation. After all, it cannot be expected from supervisory authorities become that in a digitized society on every (changed) aspect of the processing of take a position of personal data proactively, where the lack of such positioning would hinder enforcement. 51. For that reason, the European legislator has chosen to take responsibility for place the processing of personal data with the controller, without reservation in the absence of clarity regarding certain technical situations. 29 Among those processing responsibility also includes demonstrating that data subjects have a legally valid consent, as well as the adequate follow-up of the consequences of its withdrawal, 30 which is extremely relevant in the present case. 52. In this regard, it is the defendant, as operator of the contested websites, which chooses a certain structure by a certain provider for placing cookies (choice for certain “resources”) to collect advertising income through this way, among other things (choice for a particular “purpose”). Due to the defendant's choice of a particular management of its websites, it is the complexity of the defendant's processing activities per se that necessitates a 25 CPP, Recommendation of its own accord on the use of cookies no. 01/2015. 26At the time of the determinations, the following guidelines, among others, were relevant: WP29, Guidance on Consent under Regulation 2016/679, WP259 rev.01, as adopted by the European Committee for Data protection dd. May 25, 2018: EDPB, Endorsement 1/2018, available at: https://edpb.europa.eu/sites/default/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 27 Dispute Chamber Data Protection Authority, Decision 12/2019 of 17 December 2019, available at: https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf. 28Resp. Articles 70(e) and 58(3)(b) GDPR. 29 Articles 5, paragraph 2, as well as 24 and 25 GDPR; 30Comparatorinformativetitle:E.M.FRENZEL,"DS-GVOart.5. GrundsätzefürdieVerarbeitungmensenbezogenerDaten”inBoris P Paal and Daniel Pauly (eds), Datenschutz-Grundverordenung Bundesdatenschutzgesetz (CH Beck 2021), (85)106, marg. 52., Decision on the substance 85/2022 - 24/58 thorough - and admittedly technically complex - investigation and subsequent analysis of a factual situation. The alleged lack of concrete guidelines in the current context cannot therefore serve as an argument against a breach of data protection law. II.4. As for the alleged inaccuracies during the investigation 53. The defendant argues in the first instance that the Inspectorate's investigation did not performed according to the rules of the art. In summary, the defendant argues that: - there are discrepancies between the results obtained through the automated and de manual cookie scan; - there is a lack of documentation of the cookie classification by Onetrust and Cookiebot; - unclear terminology is used in the research report; - use is made of unprofessional tooling. 54. Second, the defendant alleges that the Inspectorate used sources and tools that were not be official. 55. The Disputes Chamber first points out that, in accordance with Article 72 WOG, the inspector generals and inspectors may “proceed to any investigation, any inspection, any interrogation, as well as obtain any information they deem necessary to satisfy themselves that the Fundamental Principles of the protection of personal data, within the framework of this law and of the laws enacted contain provisions on the protection of the processing of personal data, to which they supervision, are actually complied with”. 56. Article 67 WOG provides that “the investigative measures [may] give rise to a lawsuit verbally establishing an infringement. That official report has evidential value to the contrary has been proven”. The Inspectorate has carried out several investigative acts of which it de detailed results in reports. 57. The findings of the Inspectorate are administrative acts that fall under the material motivation obligation, and for that reason must be supported by "motives that are legitimate" 31 and are in fact acceptable and which must therefore be verifiable." material obligation to state reasons, on the other hand, it is not required that such motives are explicitly stated be included in the administrative act itself. In other words, it is not required that the Inspection service all aspects – such as a detailed outline of the programming language used 31I. Opdebeek & S. De Somer, General Administrative Law (2nd edition), 2019, 435, par. 944., Decision on the merits 85/2022 - 25/58 within and with which it uses research instruments, the technical terminology and so on – formally reasons for its findings. 58. It is only in the context of "decisions of individual scope", such as the present one of the Disputes Chamber, that in the decision itself (explicitly) the legal and factual considerations must be stated on which the decision is based, and this in an adequate manner. 32 De Belgian legislator has approved the review of the investigative acts of the Inspectorate expressly restricted, since it leaves it to the Inspector General and his inspectors to ensure "that the resources they employ are appropriate and necessary." (art. 64, §2 WOG). It is therefore not up to the Disputes Chamber to make the choices for certain to test investigative resources, where they appear to be within the powers of the Inspectorate and in which the principles of general good governance have apparently been observed .33 59. As regards the discrepancies invoked by the defendant between the manual and the automated cookie scan, the Disputes Chamber points out that the aforementioned differences explained by the fact that additional operations were performed manually during the manual scan, or the “maximum” permission was granted in the cookie banner, which means additional cookies were placed. However, this is not possible with the automated cookie scan – performed through the Website Evidence Collector (WEC) – which cannot grant permission and through which therefore only detects those cookies that have been used without permission posted. 60. It should also be noted in this regard that this was expressly stated in the technical investigation report drawn up by the Inspectorate. 34 61. With regard to the cookies that were placed without permission, it should be pointed out that the different methods actually yielded almost the same results. 62. In this regard, it should also be emphasized that it is by no means technically possible that cookies would be detected that were not placed. If the detection of the cookies had been done carelessly - quod non - this could only have resulted in effectively placed cookies were not detected by the tool and as a result this should only be done in the could have benefited the defendant. 32Article 3 Law of 29 July 1991 on the express statement of reasons for administrative acts, see also judgment of the Court of Appeal Brussels (Market Court section) of 9 October 2019, 2019/AR/1006: “The main raison d'être of the obligation to state reasons […] consists in the fact that the person concerned must be able to find the same motives as to which they are interested in the decision was taken […]" 33See mutatis mutandis also Judgment of the Brussels Court of Appeal (Market Court section) of 7 July 2021, 2021/AR/320, 21: “The [Marktenhof] has no jurisdiction to adjudicate on statements made by the Inspectorate […]” 34 For example, technical research report website Knack, p.4(“3.Analysis”):“First, all websites, including the website of “Knack”, automatically investigated by WEC. Then the various choices presented, provided by the website with regard to cookies, manually followed from “minimum” consent to “maximum” consent (…)”., Decision on the merits 85/2022 - 26/58 63. In line with this, the Disputes Chamber points out, with regard to the argument of the defendant, according to which it is not possible to verify whether the investigation whether or not cache memory has been emptied and temporary internet files may be present were, can only be relevant for the manual search via Cookiemanager, but that this is not of applies to the automatic inquiry carried out via the WEC (which always starts as if the browser hadn't been manipulated in that sense in any way yet). Also during this last automatic search did detect not strictly necessary cookies on the researched websites. 64. As regards the argument raised by the defendant regarding the alleged unprofessional character of the tools used, in particular theWebsiteEvidenceCollector, the Disputes Chamber first points out that, in accordance with Article 64, §2 WOG, the inspector General and the inspectors, when exercising the powers referred to in Chapter 6, ensure that the resources they use are appropriate and necessary. This is the case regardless whether the resource used is ad hoc software or not, a beta version or not. 65. In addition, it should be noted that the changes made between versions 0.3.1 and 1.0.0 applied to the tool WEC only concern "features" or "bug fixes", i.e. improvements benefit of the researcher so that the tool does not crash, freeze or generate errors. In other words, if the WEC version 0.3.1 has detected a cookie, it means that the tool has worked. After all, it is impossible for an instrument like this to be accidentally detect a non-existent cookie. 66. Finally, the Disputes Chamber points out that the defendant in no way demonstrates that this, as controller, is able to make a full inventory of the placed to make cookies. At no point during the proceedings does the defendant have its own an inventory of the cookies used on the websites concerned. On the contrary the defendant argued at the hearing that IAB occupies a dominant position and its requirements are imposed in this way, as it were, and that the publishers are therefore not in a position to to control all these cookies. The defendant added at the time of the hearing accept that the inventory of cookies should ideally be done several times a day as the situation is constantly changing. However, the fact that a supplier has a dominant position – e.g. occupies a mono- or oligopolistic position in the online advertising market, cannot in itself be exempted from responsibilities for the bring the controller. II.4. The IAB TransparencyandConsent Framework (“IAB TCF”), Decision on the merits 85/2022 - 27/58 35 67. In this regard, the Disputes Chamber refers to its decision 21/2022 of 2 February 2022. 68. The Disputes Chamber stated in this decision: “IAB Europe is a federation that and marketing industry on European level represents. It includes both corporate members and national associations, with their own company members. Indirectly, IAB Europe represents approximately 5,000 companies, including both large companies and national members” 36 69. IAB Europe itself described its operation as follows: “In its current form, the TCF is a cross-sector standard for best practice that makes it easier for the digital advertising industry to comply with certain EU regulations privacy and data protection and that individuals have greater transparency and control over their personal data. In particular, it is a "framework" within which companies operate independently and that helps them comply with the GDPR legal basis for the processing of personal data and to the ePrivacy Directive, which requires that the user must consent to the storage of and access to information on a user's device.”37 70. In the reply, as well as at the hearing, the defendant argues that it can only allow advertisements on its website if it respects the IAB TCF. 71. The Disputes Chamber first points out that the defendant does not adduce any evidence to support the argument set out above. The Disputes Chamber also states: determined that the administrators of other similar media websites do not use the IAB TCF. In any event, the defendant is not obliged to use IAB's TCF. 72. The Disputes Chamber points out that the defendant, as operator of the contested websites and as controller within the meaning of Article 4(7) GDPR of the personal data of the users of the aforementioned websites on the basis of the contained in Article 5, paragraph 2 j° 24 GDPR accountability is responsible for complying with the provisions of the GDPR for the processing involved and for demonstrating it. II.5. Established Infringements II.5.1. Lack of valid consent (Article 6, paragraph 1, point a) GDPR j° Article 129 WEC) 35Available via: https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf. 36 Ibid, para. 36. 37Ibid., para. 39., Decision on the substance 85/2022 - 28/58 II.5.1.1. Placing non-strictly necessary cookies before the permission was obtained–determination 1Inspection Service 73. Article 6(1) of the GDPR provides that processing of personal data is lawful only if it is based on one of the processing bases mentioned in this provision. 74. Article 6(1) of the GDPR serves the processing of personal data through the posting of cookies should be read in conjunction with (former) article 129 WEC (current article 10/2 WVP), 38 as this article clarifies and supplements the provisions of the GDPR. 75. The aforementioned article therefore stipulates that the permission for placing and/or reading cookies of the data subject is required, except if the cookies are strictly necessary to 1) the transmission of a communication over an electronic communications network or 2) to perform a provide a service expressly requested by the user. 76. In its Planet judgment49, the Court of Justice held that the term “consent” in Article 5, paragraph 3 of Directive 2002/58 (transposed into Belgian law via former article 129 WEC, current article 10/2 WVP) refers to “the consent of a data subject” as defined and specified in Directive 95/46 (i.e. the legal predecessor of the GDPR). 39The EDPB states in its Guidelines 05/2020 of 4 May 2020 regarding consent in this regard: “The EDPB notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive”.0 77. The Disputes Chamber points out that Article 4, point 11) GDPR defines the valid “consent” as follows: “any free, specific, informed and unambiguous expression of will by which the data subject by means of a statement or an unambiguous active act concerning the processing of personal data”. 78. The technical analyzes of the Inspectorate show that for the website of Knack 66 cookies and for the website of Le Vif 60 cookies were installed before the consent of the person concerned was asked. This includes third party cookies (48 for the website van Knack and 44 for the website of Le Vif). Although it is in principle not excluded that third party cookies are also strictly necessary for the operation of the website, it may be legal distinction with a first party, however, are a parameter in the evaluation of whether a cookie is strictly 38 EDPB, Opinion 5/2019 on the interaction between the ePrivacy Directive and the General Data Protection Regulation, with in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 38. 39Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, paragraph 50. 40 EDPB, Guidelines 05/2020 on Consent under Regulation 2016/679, 4 May 2020, p. 6 (no. 7). Free translation: “The EDPB notes that the consent requirements of the GDPR should not be regarded as an "additional obligation", but rather as conditions for lawful processing. The AVG conditions for obtaining a valid consent are therefore applicable in situations falling within the scope of the ePrivacy Directive.”, Decision on the substance 85/2022 - 29/58 41 is necessary. In addition, the defendant does not demonstrate that these cookies are strictly are necessary. 79. In this regard, the Disputes Chamber refers to advice no. 10/2012 of the former Commission for the Protection of Privacy (predecessor of the DPA) about the draft law containing various provisions relating to electronic communications that the cookies that are exempt from the consent requirement mainly provide certain “first” party cookies”. The Commission pointed out that in this case it concerns cookies that are placed by the user himself and which include language settings and personal proposals remembered at an online store (for example, customer identification and the virtual shopping cart). 42 Furthermore, the aforementioned advice states that certain cookies are clearly not covered by the exemption on the information obligation. This concerns the most intrusive and latest cookie types (such as “supercookies” or “evercookies”). The Commission stated that this mainly concerns “third party” cookies about which very little or no information is given by the various controllers, 43 and for which special expertise and software is required in order to delete the cookies. er In that advice, the legislator was also clearly asked to provide additional information in Article 129 WEC provide an explanation for which type of cookies concrete permission is required. 44The legislator has failed to provide further clarification on this. 80. The Article 29 Working Party has stated in its Opinion 04/2012 on exemption from the consent obligation for cookies provided that: “third-party cookies” moreover usually are not “strictly necessary” for visiting the website, as such cookies usually relate to a service other than that for which the user “explicitly” 45 has asked". The Article 29 Working Party states that “according to the purpose, the specific implementation, or the specific processing must be determined or a cookie then cannot be exempted from the consent requirement”. 81. Consent must in principle be obtained for all cookies, unless the cookies are “functional” or “strictly necessary”, according to the criteria set out in article 129 WEC (see above). 41 Compare: WP29, Opinion 04/2012 on Cookie Consent Exemption, June 7, 2012, p. 5: “[…]'third party' cookies are usually not 'strictly necessary’totheuservisitingawebsitesincethesecookiesareusually relatedtoaservicethatisdistinctfromtheonethathasbeen 'explicitly requested' by the us; free translation by the Disputes Chamber: “third party cookies are usually not strict necessary for the visitor to a website, as these cookies are usually related to a service that is different from the one expressly requested by the user.” 42 Opinion no. 10/2012 of 21 March 2012 on the draft law on various provisions relating to electronic communication (CO-A-2012-009), § 51. 43Advice no. 10/2012, §52. 44Opinion no. 10/2012, § 64. 45GroupData ProtectionArticle 29, Opinion No. 04/2012 on the waiver of the consent obligation for cookies, p.60., Decision on the merits 85/2022 - 30/58 It is in accordance with its duty of responsibility to the defendant to demonstrate that cookies are strictly necessary, and therefore no consent is required. 82. The report of the Inspectorate's investigation shows that only 2 cookies on both the Knack's and Le Vif's website were found to be strictly necessary. Only these two cookies should therefore in principle be placed without the consent of the data subject. At these, the Disputes Chamber repeats, the defendant does not put forward any arguments as to why the other cookies that the Inspectorate detected, (also) if strictly necessary are considered. 83. The Inspectorate supported the description of “strictly necessary cookies” on a definition included on the website www.gdpr.eu , which contains strictly necessary cookies as follows are defined: “Strictlynecessarycookies -Thesecookiesareessentialforyoutobrowsethewebsiteand use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. while it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user”. (own underlining) In Dutch: “Strictly necessary cookies – These cookies are essential for you surf the website and make use of its opportunities, such as visiting from secure parts of the site. Cookies that allow web shops to put things in the basket while shopping online are examples of strictly necessary cookies. This one cookies will generally be first-party cookies. Although it is not required to obtain consent for these cookies, the user must be explained what they do and why are necessary.” (own translation and own underlining by the dispute room) The Disputes Chamber points out that the aforementioned definition was used to clarify the findings of the Inspectorate. From the actual legal provision, Article 129 WEC, in se be deduced the same. 84. For both the Le Vif and Knack websites, 2 cookies were deemed strictly necessary qualified: Le Vif Knack OptanonConsent OptanonConsent 46A website subsidized by the EU under the Horizon 2020 Framework Programme., Decision on the merits 85/2022 - 31/58 PHPSESSID PHPSESSID In order to classify the various cookies, the Inspectorate took the information into account about the specific cookie on the website, the cookie bot report or a manual interrogation. 47 85. The Disputes Chamber points out that the defendant itself states in its statement of defense that due to a lack of technical knowledge of the cookie tool OneTrustop used at the time was poorly implemented. The defendant adds that cookies that would have been placed. Moreover, during the hearing of the defendant, it appeared that acknowledges that not strictly necessary cookies were placed without obtaining with the consent of the data subjects. 86. On the basis of the above, the Disputes Chamber finds that an infringement was committed by the defendant committed on Article 6 (1) point a) GDPR j° Article 129 WEC. II.5.1.2. Placing statistical cookies without permission – observation 2 Inspection service 87. The technical analysis report of the Inspectorate shows that statistical cookies are used posted before permission was obtained. From the then by the defendant the usedcookie-setting tool turns out that statistical cookies are always active and that they cannot be turned off. 88. The Disputes Chamber wishes to clarify that Article 129 WEC, which is a supplement and clarification of the provisions of the GDPR, it appears that placing and/or reading cookies is required by the data subject, unless the cookies are strictly necessary to enable the transmission of to carry out a communication via an electronic communications network, or to expressly provide the service requested by the user. The Disputes Chamber will state its position below: clarify regarding the placement of statistical cookies. 89. In the decision on the merits 12/2019, the Disputes Chamber defined statistical cookies as “collecting information about the technical data of the exchange or about the” useofthewebsite(pages visited,averagedurationofthevisit,...)tothefunctionof to improve [i.e. to learn how to use the website]. The data on collected in this way by the website are in principle aggregated and become anonymous processed but may also be processed for other purposes”. 48 47 For the classification of the different cookies, see p. 15-29 in Knack's technical report. 48GBA, decision on the merits 12/2019 of 17 December 2019, p. 31., Decision on the substance 85/2022 - 32/58 In the case in question, statistical cookies were also placed without prior notice consent of the data subject. The Disputes Chamber then ruled that “according to the current state of the law there is no exception for permission for “first party analytical” cookies' exists, so that prior consent for the placement of such cookies is indeed required”.9The Disputes Chamber indicated in the decision on the merits 12/2019 that also relates to an advice from the predecessor of the GBA (CBPL) that stated that it is "at the legislator is to clarify the issue of the non-exemption of the consent of the users in connection with the origin analysis cookies”. The placement of "first party statistical cookies" was also not possible, according to the Disputes Chamber be based on the legitimate interest of the website owner, given the reading of Article 5(3) of the ePrivacy Directive. 90. Also at European level, the Article 29 Working Party already took a position in 2012 about the consent requirement for statistical cookies. It is clear that the working group 29 of believes that “first party analytics cookies” are not exempt from the consent requirement as they are not strictly necessary to expressly requested function. According to the Article 29 Working Party, it is even the case that the user can access all functions the website offers without any problems, even when such cookies are disabled. 50She then additionally stated that “it is not probable, however” [is] that first party analytics cookies pose a privacy risk if they are strictly limited to aggregated statistics used for the website operators by websites that provide clear information in their privacy policy about these cookies and appropriate provide privacy guarantees”. The Working Group article 29 adds: “Should article 5, paragraph 3, of Directive 2002/58/EC be revised, then it is appropriate for the European legislator to consider a add a third waiver criterion for cookies that are strictly limited to cookies from the first party for the purpose of anonymized and aggregated statistics”. 91. In summary, in its decision on the grounds of 12/2019, the GBA has taken the position that for the placing of "first party analytical cookies" is in principle a prior consent of the data subject is required. 49GBA, Decision on the merits 12/2019 of 17 December 2019, p. 31. 50Group Data Protection Article 29, Opinion 04/2012 on exemption from the consent obligation for cookies, 7 June 2012, 00879/12/NL, p. 11. 51It should be noted, however, that the process by which data is aggregated is in itself a processing of personal data that must comply with data protection legislation, regardless of whether that process indeed results in statistical data, see also recital 162 GDPR: “[…] The statistical purpose means that the result of the processing for statistical purposes does not consist of personal data, but of aggregated data […]” (own underline), Decision on the substance 85/2022 - 33/58 92. In its defence, the defendant cites that the statistical cookies are installed with the following: exclusive purposes to collect aggregated basic statistics on usage from its websites. Its cookie policy also stated the following about statistical cookies: “Analytical and statistical cookies are always loaded, they are used to fully gain anonymous insight into the way in which the website is used and which pages are visited with frequency. This information is, among other things, necessary in the framework of the CIM Internet Study and is used for traffic and profile analysis so that we can tailor our work even better to your needs.” 52 93. The Disputes Chamber reminds that when statistical cookies are placed on the terminal equipmentofaninternetuserareyyidentifiedwillbebebehanded of IP addresses and other identifiers. 53 After all, the Court of Justice has, in its permanent case law has always used a very broad definition of both “personal data” and of the concept of “identifiability”. For example, she stated that "as long as information is due to its content, purpose" or consequence, can be linked to an identified or identifiable natural person 54 by means that can be reasonably deployed, regardless of whether the information is of which the data subject can be identified entirely from the same controller is based or partly with another entity, this information serves as be considered personal data”. 55 94. Based on the technical report of the Inspectorate for the Knack website (p. 15-29) the Disputes Chamber establishes that for most statistical cookies the website operator either has a unique identification number, or an IP address available when reading the cookies. This is logical since only in this way the website can find out how often the website is visited is used by the same user. 95. With regard to the IP address, the Disputes Chamber states that it is clear that this means that a natural person can be identified. An IP address has already been designated by the Court of Justice 56 as personal data under the GDPR. Since the placement and reading of a statistical cookie on the user's terminal equipment the website operator also the IP address in available, it is also possible for the controller to inform the user 52 Piece 15 from the defendant's collection of documents. 53See recital 30 GDPR; Article 4(1) of the GDPR also explicitly mentions “an online identifier”. 54 CJEU Judgment C-434/16 of 20 December 2017, Nowak v. Data Protection Commissioner, ECLI:EU:C:2017:994, para. 35. 55 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43; CJEU JudgmentC-434/16van 20December2017,Nowakt.DataProtectionCommissioner,ECLI:EU:C:2017:994,par. 31:seeoR.ZUIDERVEEN BORGESIUS, “Singling out people without knowing their names – Behavioral targeting, pseudonymous data, and the new Data Protectionregulation”,ComputerLaw&SecurityReview,vol.32-2,2016,pp.256-271;R.ZUIDERVEEBORGESIUS,”TheBreyerCase of the CJEU – IP Addresses and the Personal Data Definition”, EDPL, 1/2017, pp. 130-137. 56CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43., Judgment on the merits 85/2022 - 34/58 identify. It therefore concerns the processing of information from an identifiable person (by an online identifier, cf. Art. 4, point 1) GDPR). 96. With regard to the registration of a unique identification number, the Disputes Chamber refers to the decision on the merits 12/2019 where a position has already been taken on the qualification of a unique identification number. Here the Dispute Chamber decided that assigning a unique identification number is a form of pseudonymization within the meaning of Article 4. point 5) GDPR. 57 Also the Article 29 Data Protection Working Party has already expressed its opinion on the interpretation of the 58 concept of “pseudonymised data”. There she argued that pseudonymization is the concealment of means one identity. The identities of persons can be identified through pseudonymization as disguised in such a way that re-identification becomes impossible, for example by means of one-way encryption, which in itself creates anonymized data. 59 Traceable pseudonymised data can be considered information about an indirect identifiable person and are therefore personal data within the meaning of the GDPR. 60 In case by using a pseudonym, data can be traced back to the data subject, so that his/her identity can be established, data protection rules apply. 61 Based on the settled case-law of the Court of Justice, the Disputes Chamber finds that the it is possible to determine the identity of a data subject by combining the unique identification number with other information that may or may not be obtained with the help of third parties 62 become. In this case, the unique identification number must be seen as personal data in the meaning of the GDPR. 97. In view of the foregoing findings and the broad interpretation of the term personal data, as confirmed by the case law of the Court of Justice of the EU, the Disputes Chamber concludes that with regard to the statistical cookies (where there is always an IP address of the user is available), a prior consent is actually required is pursuant to Article 6(1)(a) GDPR in conjunction with the national implementing provision of Article 5(3) of the ePrivacy Directive. After all, it concerns the processing of information from an identifiable natural person through which the rules of the GDPR undoubtedly apply are applicable. The lack of such consent on the Defendant's website for the 57According to Article 4.1.5 of the GDPR, “Pseudonymisation” is defined as “the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without additional data be used, provided this additional data is kept separately and technical and organizational measures are taken are taken to ensure that the data is not given to an identified or identifiable natural person be linked” 58 Working Party on Data Protection Article 29, Opinion 4/2007 on the concept of personal data, https://ec.europa.eu/justice/article- 29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. 59Ibid., p. 18-19. 60Ibid., p. 19. 61 The Court of Justice has stated in the Breyer judgment that “to determine whether a person is identifiable, it is necessary to by any means which may be reasonably assumed by the controller, or by any other person, can be used to identify the aforementioned person” (§42). 62 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 48, Decision on the merits 85/2022 - 35/58 Statistical cookies identified by the Inspectorate thus constitute an infringement of Article 6, paragraph 1, point a) in conjunction with article 129 WEC. II.5.2. Pre-ticked boxes for the partners (Articles 4, point 11), 6, paragraph 1, point a) en7(1) GDPR) – determination 3 Inspection service FindingsInspection Service: 98. It appears from the Inspectorate's report that for Knack and Le Vif 449 “partners” or “vendors” per default permission is given by pre-ticked boxes. This also turns out clear from screenshots of the websites included in the technical reports of both Knack as Le Vif: 99. The Inspectorate states that the GDPR is a “statement or an unambiguous active act” required (article 4, point 11) GDPR), which means that all supply presupposes the permissions based on a more implicit way of acting of the data subject, not in accordance with the standards of consent of the GDPR. The Inspectorate relies on the Planet49 judgment, which made it clear that Article 2(f) (definition of consent) and Article 5(3) (consent for cookies) of the e-mail privacy directive, to be read in conjunction with Article 4(11) and Article 6(1)(a) of the GDPR. The Court of Justice subsequently ruled that consent did not become legally valid granted when the storage of information by means of cookies or access to already on the substance, Decision 85/2022 - 36/58 terminal equipment of the website user, information stored via cookies is allowed by default checked checkboxes that this user must tick off if he refuses to give his consent. In addition, the Inspectorate states that the the defendant also fails to comply with the obligation to prove under Article 7(1) of the GDPR that the data subject has given permission not to place strictly necessary cookies. Defendant's position: 100. The defendant argues that the third finding of the Inspectorate is incorrect. She admits that the partner companies within the OneTrust Consent management platform default to “active” but that this did not mean that cookies are automatically set by these third-party partner companies were installed. After all, according to the defendant, it was not a question of authorization to placing cookies, but about an indication which IAB vendors could use making a consent for one or more purposes, provided that this permission was given. This would only be the case if the person concerned accepted cookies within the cookie tool. The defendant is therefore of the opinion that, in the light of the case law of the Court of Justice in the Planet49 judgment, the practice whereby the cookies of partner companies are set to "active" by default, constitutes a valid consent in within the meaning of Articles 4.11 and 6.1 a) GDPR. 101. The Disputes Chamber finds that the defendant indicates in its claims that its practice has adapted on this aspect by implementing a new Didomi Consent Management Platform in March 2020. None of the partner companies would currently are automatically set to “active” and the user must now actively make a choice. Position of the Dispute Chamber: 102. The Disputes Chamber will meet the criteria for a valid consent in this section. Article 4 pt. 11) GDPR defines “consent” of the data subject as “any free, specific, informed and unambiguous expression of will with which the data subject by means of a statement or an unambiguous active act concerning him/her processing of accept personal data”. 103.Article 7 GDPR contains the conditions that apply to the consent: 1. When the processing is based on consent, the controller must be able to demonstrate that the data subject has given consent for the processing of his personal data. 2. If the data subject gives consent within the framework of a written statement that also relates to other matters, the request for consent shall be in an understandable and easily accessible form and in clear and simple language presented in such a way that a clear distinction can be made from the others, Decision on the substance 85/2022 - 37/58 affairs. Where any portion of such statement constitutes an infringement on this regulation, this section is not binding. 3. The data subject has the right to withdraw his consent at any time of the consent does not affect the lawfulness of the processing based on the consent before its withdrawal, without prejudice. Before being involved consent, he will be notified accordingly. Withdrawal of consent is as easy as giving it. 4. When assessing whether consent can be freely given, among other things, the question of whether for the implementation of a agreement, including a service agreement, consent is required for processing of personal data that is not necessary for the execution of that agreement. 104.In addition, Article 5(3) of the ePrivacy Directive, as transposed by Article 129 of the WEC establishes the time of the inspection by the Inspectorate, the condition that the user "are has given permission" for the placement and consultation of cookies on its terminal equipment, with the exception of the technical registration of information or the provision of a service for which the subscriber or end user has expressly requested and where the placement of a cookie strictly necessary for that purpose. 105.Recital 17 of the ePrivacy Directive specifies that for the purposes of this Directive the the term “consent” must have the same meaning as “consent of the data subject”, such as 63 defined and specified in the GDPR. 106.In the Planet49 judgment, the Court of Justice of the European Union set the consent requirement for placing cookies after the entry into force of the GDPR. She stated that explicit active consent is required: so “active consent" is indisputably required according to the correct interpretation of the GDPR. 64 Recital 32 indeed provides that: “Consent must be given through a clear active act, for example, a written statement, also by electronic means, or an oral statement statement, showing that the data subject is free, specific, informed and unambiguous consent to the processing of his personal data. This could include the clicking on a box when visiting an internet website, selecting technical institutions for information society services or any other statement or other act which clearly shows in this regard that the data subject consents to the proposed processing of his personal data. Silence, the use of already 63 The GDPR as a replacement for Directive 95/46/EC. 64Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, para. 73, Judgment on the substance 85/2022 - 38/58 ticked boxes or inactivity should therefore not constitute consent. The permission must apply to all processing activities that serve the same purpose or purposes. If the processing has multiple purposes, consent must be obtained for each of them granted. If the data subject has to give his consent after a request via electronic resources, that request should be clear, concise and not unnecessarily disruptive to the use of the service in question.” (the Disputes Chamber underlines). 107. On the basis of these considerations, the Disputes Chamber argues that the permission referred to in the Articles 2(f) and 5(3) of Directive 2002/58, transposed into Article 129 WEC at the time of the findings, read in conjunction with art. 4, par. 11 and art. 6 (1) point a) GDPR, not valid is given by a standard checked box that the user must uncheck in order to refuse to give permission (in this case it is therefore about giving permission to the partners for one or more purposes for which permission must be given in another window Be given). 65 108. In concrete terms, this means that the data subject must receive information about the way in which he/she is wishes with regard to cookies, and how to “all, some or no cookies” can accept. 109.For example, confirming a purchase or accepting the general conditions are not sufficient to assume that valid consent has been given for placing or reading cookies. Nor can permission be given for the mere “use” of cookies, without any further specification of the data sent through this cookies are collected or the purposes for which this data is collected. The GDPR indeed requires a more detailed choice than a simple "all or nothing", but requires no consent for each individual cookie. If the administrator of a website or mobile application asks permission for different types of cookies, the user must choose have to consent (or refuse) to any kind of cookie, or even, in a second information layer with choices, for each cookie individually. 110. By using pre-ticked boxes, as set out by the Inspection Service in its reports, the defendant commits an infringement of articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG, as explained in recital 32 of the GDPR. II.5.3. Disclaimer for third party cookies (potential violation of article 5, paragraph 2 and 7, para. 1 GDPR) – determination 4 Inspection service 65This is also related to the specificity requirement of the consent, cfr EDPB, Guidelines 05/2020 on consent in accordance with Regulation 2016/679, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf, § 50., Decision on the merits 85/2022 - 39/58 Determination of inspection service: 111.According to the Inspectorate, the defendant is trying to shirk responsibility for third-party cookies that are placed when you visit the Knack and Le Vif sites. 112. For example, the cookie policy states that the defendant is not responsible for cookies set by third parties are placed and managed, including cookies that enable sharing information through social networks. The defendant also argues that it has no control over certain cookies used on its website. 113. With regard to this aspect, the Inspectorate refers to the judgment of the Court of the Wirtschaftsakademie of Justice which ruled that the owner of a website is responsible for the processing of cookies that are installed or read from its website. 66 He picks up at least part in determining the purposes and means of the processing of the personal data of visitors to his website through third-party applications on his website or to allow the distribution of the content of third parties in the advertising spaces of its website. 114.Then the Inspectorate refers to the accountability principle in Article 5, paragraph 2 of the GDPR, which shows that the controller is responsible for compliance with the principles governing the processing of personal data and must be able to demonstrate that these principles are taken into account. 115. This practice employed by the defendant must also, and as discussed above, be considered a violation of Article 7(1) of the GDPR, as a controller must demonstrate that the data subject has given permission for the placement of cookies from its website that are not strictly necessary. Defendant's position: 116. The defendant is not responsible for the processing of cookies used by third parties in be placed within the framework of the IAB TCF. According to the defendant, this interpretation was also confirmed by the GBA in the current IAB Europe research: “Belgium's Data Protection Authority found IAB Europe's Transparency and Consent Framework does not meet several standards under the EU General Data Protection Regulation, TechCrunch reports. The DPA determined the framework fails to comply with the GDPR's principles of transparency, fairness and accountability. IAB Europe said in response it “respectfully disagree[s] with the [Belgian DPA]'s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers' implementation of the TCF”. 117. Next, the defendant argues that, should the Disputes Chamber come to a different conclusion, its practices nevertheless comply with Article 5(2) of the GDPR. The 66Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, inter alia para. 39, Judgment on the substance 85/2022 - 40/58 accountability means “(I) the need for a controller to take appropriate and effective measures to implement the principles of implement data protection”. 67There are no guidelines published by the DPA clarifying what is meant by a minimum of appropriate and effective measures. In addition, Roularta has chosen to use the IAB Framework described as “the most sophisticated and scrutinized model of GDPR- compliance for digital advertising in the world”. Roularta clarifies that the disclaimer does not de intended to shirk responsibility, but rather to indicate that it is unable to block cookies placed by third parties. 118. Passing responsibility in the cookie policy was not so much the intention to abdicate responsibility, according to the defendant; to indicate that the the defendant is technically not able to block cookies that are used by some third parties (in this case: advertisers) are placed. Advertisers and agencies can, when an ad campaign on one of the Roularta sites, via that campaign launch cookies or scripts that are used by Roularta impossible to know in advance. 119.The defendant states in its conclusions that the sentence in question was removed from the cookie policy because since the IAB TCF framework it can be assumed that IAB vendors conform to this frameworkdo not place any cookies or scripts unless there is both permission for the cookies and the vendor concerned has been approved in the list of partner companies. Position of the Dispute Chamber: 120. The Disputes Chamber does not agree with the defendant's contention that it does not 68 is responsible for the processing of cookies by a third party. 121.The responsibility of IAB Europe excludes the responsibility of other controllers within the TCF framework. 69 The Disputes Chamber points points out that the defendant must be seen as a (co-) controller in the framework of TCF, because they are supposed to decide whether or not to immediately register CMP work together, and are also able to determine which advertisers appear on their website or in are allowed to offer their application advertising and which means (cookies) they can use for this apply. 67 WP29, Opinion 3/2010 on the “Accountability Principle”13 July 2010, WP173, 10, available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf. 68 Decision Disputes Chamber GBA 21/2022 of 2 February 2022, available via: https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf. 69, Decision on the substance 85/2022 - 41/58 122. The defendant states in its conclusion that, given the dominant position of IABEurope, it is obliged was to implement the IAB TCF. The Disputes Chamber rules that this argument of the defendant cannot be followed. In general, it can also be noted that there are alternative providers are available on the market, quite apart from the fact that it is not true that there are any obligation on the part of the defendant to make use of the offer of IAB to facilitate advertisements through its websites. Roularta was free to choose implement the IAB TCF and therefore bears responsibility for the consequences of that implementation. 123. The Disputes Chamber rules that the defendant must be identified as controller, which is also not disputed in this proceeding. if controller is responsible for the processing of personal data and it must be able to ensure compliance with the principles governing the processing of personal data demonstrate. The defendant can therefore pass on the responsibility for the placement of cookies third parties on its websites from its processing responsibility. Moreover The cookie policy states that it has no control over certain cookies that are placed on its website posted. However, it is up to the defendant as operator of the websites, and in this case as controller under data protection law, to provide appropriate technical and organizational measures to ensure that its processing activities in are in accordance with the relevant legislation. Disclaiming responsibility for the placement of cookies by third parties against data subjects for whom the defendant has been appointed maybeas controllerisanviolationofarticle5,paragraph2GDPR,junctoarticle24 70 GDPR (accountability). 124. In summary, the Litigation Chamber concludes that the defendant's obligation rests upon it to accountability (Article 5, paragraph 2, j° Article 24), by denying the bear responsibility towards those involved. II.5.4. Incorrect and deficient information (potential violation of Articles 4, point 11), 12, paragraph 1, 13 and 14 of the AVG) -determination 5 Inspection service 125. The Inspectorate establishes a breach of the transparency principles of the GDPR by the defective cookie policy of Roularta Media Group. For example, Article 12(1) of the GDPR provides that the controller must take appropriate measures to ensure that the data subject is including Article 13 of the GDPR mandatory information in a concise, transparent, comprehensible and in an easily accessible form and in clear and plain language. 70 The obligation in Articles 5.2 and 24.1 of the GDPR means that the VV must demonstrate that it complies with the obligations of the GDPR complies. If the VV fails to show this, there is a violation of these articles. See also:Article39DataProtectionWorking Party, Opinion 3/2010 on the principle of accountability13 July 2010, 12, https://ec.europa.eu/justice/article- 29/documentation/opinion-recommendation/files/2010/wp173_en.pdf., Decision on the merits 85/2022 - 42/58 Articles 13 and 14 of the GDPR then determine which information must be provided by the controller to the data subject. In paragraphs 1 and 2 of both articles lists a list of information provided by the controller to the person concerned must be given. 126. In order to clarify the relevant legislation, the Court of Justice in the Planet49 judgment also clarifies how the controller should provide information before placing cookies specify how long the cookies remain active and whether or not third parties can access the cookies to ensure proper and transparent information (Article 5.3 ePrivacy Directive with regard to the placing of cookies in conjunction with information obligations from art. 13.1(e) and art. 13. 2 (a) GDPR). FindingsInspection Service: 127. The Inspectorate has established that there were shortcomings in the cookie policy: ▪ Defendant's cookie policy contains provisions that do not comply with the GDPR. For example, the cookie policy speaks of implicit consent for cookies via the access to the defendant's websites, which is contrary to the need for a expression of will through a clear statement or positive act in accordance with Article 4, point 11) AVG. It is also noted that for sharing data collected through cookies, no specific consent is required, which is contrary to the specific nature of the consent to a data processing in accordance with Article 4, point 11) of the GDPR; ▪ The cookie policy would also lack clarity about the necessity of using third-party cookies due to technical problems that have been going on for more than a year; ▪ The Inspectorate also notes that the names of the types of cookies in the cookie policy do not match the cookie category names in the cookie setting tool, which does not benefit comprehensibility;71 Cookie Policy Cookie Setting Tool Necessary cookies Necessary functional cookies 7Inspection service,Technical investigation report on the use of cookies on the Knack website (document 6 administrative file), 39., Decision on the substance 85/2022 - 43/58 Analytical cookies Analytical cookies Social Media Cookies Content Selection and Delivery and report Advertising cookies Advertising selection and delivery and report Content Personalization Advertising and marketing cookies ▪ In addition, the cookie policy does not include information about the storage periods of cookies. The Privacy Policy only states: “Roularta Media Group will not process your data keep for longer than is legally permitted and than is necessary for the purposes mentioned in this document”. The cookie policy also states: “the retention period differs from cookie to cookie, in general, the cookie is stored until the user is delete cookies.” ▪ The cookie policy mentions the use that the partners make of the “IAB Europe” Transparency & Consent Framework” as a consent management tool, which ensures that third parties comply with the GDPR, while of the 449 partners who are on the Knack and Le Vif sites state 312 not or no longer validated by IAB; ▪ The user should refer to the policies of the 449 sellers to find out what these companies do with his data and make an informed decision based on that to give his consent. This is illusory and impracticable and, moreover, will lead to the setting of even more cookies when visiting the links to this one partners; ▪ Finally, it is determined that cookies are not individually documented, which means the user is unable to control what is being done with their data. In the privacy policy there is brief information about cookies: Position of the Dispute Chamber:, Decision on the merits 85/2022 - 44/58 128. The Disputes Chamber finds that the defendant indicates in its claims that it cookie policy has changed in certain aspects :72 - The statement that the defendant's registration system has been temporarily replaced by a technical problem used third party cookies to log into the websites of the Defendant is now removed (the problem would also have been resolved by moving to a new registration software that only uses a purely functional cookie to make sure users don't have to log in every time); - In the update of the cookie policy dd. July 31, 2020 all cookies are correct inventoried and documented. Correcting some inaccuracies cannot undo the infringement of the past Consequently, the Dispute Chamber is of the opinion that the defendant has a negligent attitude on several aspects regarding its transparency obligation under of Articles 12 and 13 GDPR. 129. First, the infringements are related to the incorrect information in the cookie policy. In accordance with Articles 13 and 14 (respectively paragraphs 1 and 2) of the GDPR, the following information must be summarized: be provided to the data subject: the name and contact details of the controller, the reason why the data is processed, the retention period of the personal data, with which companies/organizations the data is shared, as well as the data protection rights of the data subject. With regard to this last element, the Inspectorate determines that incorrect information has been given in the privacy policy of the defendant, such as the existence of an implied consent contrary to the provisions about this in the GDPR. 130. The Disputes Chamber states that providing incorrect information about the consent requirement in the GDPR infringes Article 12(1) and Articles 13 and 14 of the GDPR. 131. Second, with regard to the mention of the temporary technical problem that caused third party cookies were temporarily used to log in users. However, this problem could date from 19 November 2018, so that it is impossible to speak of a “temporary” problem (the determination of the statement in the cookie policy dates from January 8, 2020). The Dispute Room furthermore, considers that a technical difficulty does not constitute a violation of the rules of the GDPR can justify, given that this is a long-term violation where major numbers of those involved could be disadvantaged, and where the responsibility of the controller for those activities cannot be negated in any way. 72see document 20 of the defendant's collection of documents: new cookie policy., Decision on the merits 85/2022 - 45/58 132. Third, regarding the inconsistencies between the cookie policy and the cookie management tool. The defendant justifies this by alleging that it was obliged by IABEurope to use these terms to be used in the consent tool, on pain of exclusion from the IAB TCF. She wanted in her own cookie policy use more understandable terms. The Disputes Chamber understands the position of Defendant with regard to the obligation to apply the terms proposed by IAB Europe in its consent tool. However, this does not alter the fact that using different terms in its privacy policy increases the ambiguity and in that sense not in accordance with the providing information in “concise, transparent, comprehensible and easily accessible” form and in clear and plain language” (Article 12(1) of the GDPR on the interpretation of Article 13 and 14 GDPR). 133. Fourth, regarding the lack of information about the storage periods of the cookies. The The inspection service determined that there was only a statement in the cookie policy that the retention period “depends from cookie to cookie”. The defendant argues that the views of the Inspectorate that “no concrete information about the storage periods can be found” and that “the cookie policy refers to a storage period that is in principle unlimited” are incorrect. she states that in principle two types of information about the storage time of the cookies were included in the cookie policy: (i) the fact that the retention time varies from cookie to cookie, (ii) the fact that the user can disable cookies, resulting in a non-existent retention time.The Defendant argues, therefore, that the Inspectorate went too far in stating that this information is equivalent to an unlimited storage period. 134. The Disputes Chamber follows the defendant with regard to this last element. The information in the cookie policy makes no mention of an in principle unlimited storage period. However, this takes does not mean that the information in the cookie policy was insufficiently clear and transparent, given that there was no indication whatsoever about the concrete retention periods, and therefore neither was this information was available to those involved. Article 13(2)(a) GDPR and Article 14(2)(a) GDPR clearly state that information must be given about “the period during which the personal data are stored, or if that is not possible, the criteria for determining that term". The Commission for the Protection of Privacy, the legal predecessor of the GBA in accordance with art. 3 WOG, already issued a recommendation in 2017 Facebook regarding its cookie policy. In it, the Commission stated that the person concerned has clearly and understandably must be fully and accurately informed about the retention period of the data it collects via cookies.3According to the Commission, providing that information would are also necessary to ensure informed consent and to 73CBPL, Recommendation no. 03/2017 of April 12, 2017 supplement to recommendation no. 04/2015 of its own accord with regard to 1) facebook, 2) the users of the internet and/or Facebook as well as 3) the users and providers of Facebook services, in particular social plug-ins (CO-AR-2017-004), Decision on the merits 85/2022 - 46/58 74 fair and lawful processing. The shortcoming would meanwhile 75 have been rectified by the defendant in its renewed cookie policy. 135. Due to the lack of clear and transparent information on the concrete retention periods for the cookies placed on its website, as determined by the Inspectorate, the defendant infringes Articles 13 and 14 j° 12(1) GDPR. 136. Fifth, as to the entry in the consent management tool related to the use of the “IAB Europe Transparency & Consent Framework”. The defendant argues that it this mention only wanted to increase transparency and inform the user about the way in which it wants to control the use of cookies, namely by joining a internationally recognized standard within the digital advertising world. The Inspectorate found this mention in the privacy policy is insufficient to inform the 449 partners of both Knack and Le Vif by default (it also appears from the Inspection Report that 312 of the 449 partners - the vast majority - are no longer validated by IAB). 137. From these elements, the Disputes Chamber infers that the information provided by the defendant to the users thereby trying to create an appearance of respecting the rules on data protection. It cannot be assumed that this entry de transparency, all the more so now that it turns out that the information was also incorrect. For this reason it must be noted that also on this point the information provided by the defendant is not sufficiently clear and transparent under Articles 13 and 14, j° 12, paragraph 1 GDPR. 138. Sixth, with regard to the fact that the user of the website in principle follows the policy of the 449 should consult partners in order to know what happens with his data and in order to to give informed consent on this basis. This redirect cannot be accepted as the sole supporting element in the provision of information to data subjects, therefore the de facto negates responsibility for information obligations for the controller – which is not in accordance with the provisions of the GDPR in this context. The fact that data subjects do not provide more concrete and clear information have access to the use and further use of their personal data, for this reason, an infringement of the information obligation under Articles 13 and 14 j° 12(1) GDPR. 139. Seventh, the Disputes Chamber deals with the findings of the Inspectorate regarding the not individually documenting the cookies in the defendant's cookie policy. The Disputes Chamber points out in this regard that in accordance with Articles 13 and 14, in conjunction with Article 12, paragraph 1 GDPR, transparent information must be provided about cookies that contain personal data collect or otherwise process. This requirement applies regardless of whether or not there is a 74 ibid. 75 Piece 20 of the defendant's collection of documents, Decision on the merits 85/2022 - 47/58 permission must be given for the installation and reading of such cookies, and therefore also in the case of a strictly necessary cookie. 140.In the cookie policy there is only a limited number of informational elements about cookies: Given the very limited information provided in relation to the list of cookies present, 76 the Disputes Chamber indisputably establishes a problem with regard to information obligations. 141.The following information should certainly be stated separately by category of cookies, so that a cookie would be sufficiently documented: the personal data being processed, the purposes of processing for such cookies and the retention period of such cookies (see for this the information obligations in Article 13(1) and 14(1) GDPR). Since this information is missing for each category of cookies used in the cookie policy, cannot be judged impossible that the cookies were sufficiently documented. 142. The Disputes Chamber infers from the findings of infringements listed above that the Defendant fulfills its obligation to provide information accordingly Articles 13 and 14, j°12, paragraph 1AVGophet time of those findings. The Disputes Chamber emphasizes in this regard that the The controller's responsibility is to ensure itself that the website information provided is in accordance with reality, in accordance with the aforesaid provisions in the GDPR. The Disputes Chamber refers here emphatically to the provisions of Articles 5, paragraph 2 and 24 GDPR established accountability. II.5.5. Unjustified storage periods of cookies (Article 5(1)(e) GDPR) – determination 6 Inspection service 143. Article 5(1)(e) GDPR provides that personal data may not be kept longer than necessary to achieve the intended purpose (principle of “storage limitation”). The retention period may therefore not unlimited. The information collected and stored in a cookie and the information collected as a result of reading the cookie must be deleted when it is no longer necessary for the intended purpose. 144. On the website of the GBA, the following is stated in the theme file “cookies” regarding the storage period or lifespan of cookies: 76For an overview of the names of the installed cookies, and the findings regarding its flawed character, see: Technical research report on the use of cookies on the Knack website, document 6 administrative file, p. 29 ff., Decision on the merits 85/2022 - 48/58 “A cookie that is exempt from the consent requirement must have a lifespan directly related to the purpose for which it is used and to be set to expire as soon as it is no longer needed, taking into account the reasonable expectations of the average user. Cookies exempt from consent are therefore likely to expire when the browser session ends or even earlier. However, that is not always the case. For example, in the shopping cart scenario, a retailer set the cookie to remain after the end of the browser session or for a few hours to account for the fact that the user may inadvertently de browser may close and reasonably expect to see the contents of the shopping cart when he returns to the retailer's website a few minutes later. In in other cases the user may expressly request the service for certain information from one session to another, requiring the use of permanent cookies is required.”7 145. From the technical analysis reports of the Inspectorate, both with regard to the Knack website if this one from LeVif, it turns out that the effective storage periods for some cookies are unreasonably long and that the cookies have a lifespan of several years. Below is an overview of cookies with unreasonably long storage periods (expressed in days): - UID: 720 days (Le Vif and Knack) - _gfp_64b: 1000 days (Knack and Le Vif) - OB-USER TOKEN: 90000 days (Knack and Le Vif) - You: 730 days (Le Vif) - Gdyn: 1698 days (Le Vif and Knack) - Gtest: 1698 days (Knack) 146. The defendant argues that in the past the Data Protection Authority has not made any specific has issued guidelines regarding the precise storage periods of cookies. This states that it because of this uncertainty it was not clear to her what should be understood concretely under “a lifespan that must not be longer than the time necessary to achieve the intended purpose reach". 147. The Disputes Chamber points out, however, that the lack of guidelines from a supervisory government cannot be used by a controller as a reason for the non-compliance with the provisions of the GDPR. 78 Indeed, there is, in accordance with the provisions of Article 5, 77 https://www.dataprotectionauthority.be/professioneel/thema-s/cookies. The Disputes Chamber underlines. 78See also above, part II.3 of the present decision, Decision on the substance 85/2022 - 49/58 paragraphs 2 and 24 GDPR, obliged to ensure itself that the processing of personal data carried out by him takes place in accordance with the provisions of the GDPR and must be able to demonstrate this. 148. In addition to the foregoing, it should be noted that, if the defendant was the opinion that the lifespan of certain cookies and the retention period of the cookies via these cookies personal data collected was proportional, could have demonstrated this if desired or could have argued in the course of the proceedings why it is of the opinion that the retention periods do meet the requirements of Article 5(1)(e) GDPR. The defendant did this however is not. 149. The reports of the Inspectorate also show that the lifespan of certain cookies in case is manifestly disproportionate and can in no case be considered proportionate to the purpose pursued. In this context, particular reference should be made to the cookie “OB-USER-TOKEN”, with a lifespan of 90,000 days or approximately 246 years. 150. The defendant argues in its response that the retention period as established in its privacy policy means that the placed cookies are stored until they are user will be deleted. 79 The defendant submits that the Inspectorate's finding, according to which the retention periods would be “indefinite”, is therefore not correct. 151. While it is true that the defendant has not argued that it is an unlimited storage period, it is true that it is not clear proactive recording of (criteria for) the concrete retention periods constitute an apparent shortcoming in the light of the principle on storage limitation. 152. On the basis of the above, the Disputes Chamber finds that the defendant has committed an infringement committed on Article 5(1)(e) GDPR. II.5.6. Non-compliance with the withdrawal of consent (Article 7(3)GDPR) - determination 7 Inspection service 153. Pursuant to Article 7(3) of the GDPR, the data subject has “the right to give his or her consent at any time” to withdraw. Withdrawing consent does not affect the lawfulness of the processing of the consent before its withdrawal, without prejudice. he shall be notified thereof. Withdrawing consent is as easy as giving it.” 79Cf. statement of response defendant, p. 32, no. 86 et seq., Decision on the substance 85/2022 - 50/58 Establishments Inspection Service: 80 154. It appears from the technical analysis report on Le Vif's website that: 81 - when the inspector surfed to the site, 60 cookies were detected before the permission was given; - when the inspector gave his consent for all cookies in the cookie consent tool, there 147 cookies were detected; - when the inspector wanted to return to the selection screen (consent tool) to withdraw permission, it was confronted with a black screen, after which the website blocked: The Inspectorate therefore determined that it was impossible to obtain the consent Pull. 155. For the Knack website, the Inspectorate established that: 82 - when taking steps 1 to 15 (in step 15 all cookies were accepted), 86 cookies were detected; - in step 24 (deleting the cookies and reloading the web page): number of cookies 73→ step 25 (allow all cookies again and reload the page): number of cookies 85 → step 26 (return to minimum cookies and reload): number of cookies 88; Between step 24 “all cookies” and step 26 “minimum cookies” the number of cookies does not decrease, on the contrary, the number of cookies is increasing. 80 Report of the Inspectorate, document 10, p. 30, with reference to the findings in the technical investigation reports in that regard. 81Page 36 of Le Vif's technical analysis report. 82 For an overview of all the steps taken by the Inspectorate, reference is made to pages 31 to 33 of the technical analysis report., Decision on the substance 85/2022 - 51/58 156. In addition, it appears from the Inspectorate's technical analysis report that the withdrawal of the Consent is more difficult than giving it: - For LeVifiser even an impossibility to withdraw the consent (see above). - For Knack it appears that adjusting the permission is only possible by using the “footer” clicking on “cookie settings”: Defendant's position: 157. In its statement of defense, the defendant submits, with regard to the . described above findings of the Inspectorate regarding the withdrawal of the permission that certain of these problems are due to an unfortunate configuration of the OneTrust cookie tool, which used by the defendant at the time of the findings. She states in this regard more specifically that, firstly, when implementing the aforementioned tool, there is no correct technical link was made between the consent given or not and the first party cookies used by the site were placed themselves. It states that with regard to the cookies placed by advertisers, the consent was correctly enforced by applying the IAB TCF. The Defendant adds that the aforementioned issue was resolved by the implementation on March 31, 2020 of the CMP Didomi. 158. Second, with regard to the Inspectorate's determination according to which for the website www.levif.be gets a black screen when trying withdraw permission, that this can also be explained by a configuration problem of the OneTrust cookie tool. The defendant argues that it was, however, its intention to insert from the tab “more info and configuration” allow users to give their consent for free to change. She regrets that the Inspectorate was confronted during its investigation with a black screen instead of the affected setup screen. 83 Position of the Dispute Chamber 159. On the basis of the findings of the Inspectorate, the Disputes Chamber establishes the above evidence presented as well as the statements of the defendant establish that there are more steps are necessary to withdraw consent than to give consent. This is not in in accordance with Article 7(3) of the GDPR, which states that the withdrawal of consent is equally should be as simple as giving it. 160.The fact that technical problems arise during the withdrawal process permission, indicates that the correct technical measures have not been taken to ensure that a 83 Conclusion of the defendant's reply, p. 33., Decision on the substance 85/2022 - 52/58 data subject can withdraw her or his consent at any time. In addition, it appears that even when it creates the appearance for the data subject that she or he has withdrawn consent, the technical situation does not change to a basic situation, but on the contrary, more cookies that processing personal data can be detected on the Knack website. 161. Therefore, the Disputes Chamber with regard to both Knack's and LeVif's websites a breach of Article 7(3) of the GDPR. III. Infringements and sanctions 162. In summary, in the present case, the Disputes Chamber finds infringements of the following provisions in the main: from the defendant: - Article 6(1) of the GDPR, read in conjunction with Article 129(2) of the Act on electronic communication (current article 10/2 of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data 84), due to the placement of not strictly necessary cookies on her websites www.knack.be and www.levif.be without permission being obtained. In accordance with the aforementioned provisions, the processing of personal data requires prior consent by placing and/or reading cookies of the data subject, unless the cookies are strictly necessary to 1) the transmission of a communication over an electronic communications network or 2) to to provide a service expressly requested by the user. From the findings of the Inspectorate and the documents in the file show that on both aforementioned websites cookies were placed that cannot be regarded as strictly necessary and this without obtaining the user's consent. It was also determined that statistical cookies were placed without the user's consent. The the defendant neither denies nor refutes the aforementioned finding in its statement of defense and during the hearing. - articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG, as explained in recital 32 of the AVG, because of not meeting the conditions regarding permission contained in the aforementioned provisions. In particular, it was found that on the websites www.knack.be and www.levif.be At the time of the research, use was made of so-called “pre-ticked boxes”, where the cookies of the partner companies were marked as “active” by default. However, this can in no way constitute a valid 84BS 5 September 2018., Decision on the substance 85/2022 - 53/58 consent within the meaning of Art. 4, point 11) GDPR for the placement of cookies (i.e. “any free, specific, informed and unambiguous expression of will with which the data subject by means of a statement or an unambiguous active accepts any act concerning him/her concerning the processing of personal data"). This one practice is also contrary to the case law of the Court of Justice of the European Union 85 (Judgment Planet49 ). - Articles 5(2) and 24 GDPR, due to the publication of a disclaimer on the websites concerned where the defendant claims that it is not responsible for the placement of third-party cookies on these sites, including in the context of the use of the IAB Transparency and Consent Framework. This statement of the the defendant is, however, contrary to the case-law of the Court of Justice of the European Union in the Wirtschaftsakademie judgment, 86 in which the Court held that the owner of a website is responsible for processing by means of cookies who installs or reads his website. This attitude of the defendant is therefore contrary to with Article 5, paragraph 2 j° Article 24 GDPR, according to which the controller is responsible for compliance with the provisions of the GDPR and demonstrating of this. - Articles 12(1), j° 13 and 14 GDPR, as the way in which the information is sent to the data subjects was provided does not meet the requirement of a "transparent, comprehensible and easily accessible form". It was first established that the privacy policy contained incorrect information, including regarding consent to the use of cookies, as well as with regard to the need to accept third party cookies. The privacy policy also did not include, at the time of the survey, full listing of the different types or categories of cookies that have been posted. Nor did this policy contain sufficient information regarding the (criteria for determination of the) lifespan of the cookies placed and the retention period of the thus collected data, as however required by articles 13, paragraph 2, point a) and 14, paragraph 2, dot a) GDPR. The privacy policy also did not contain information regarding the processing by partners, allowing those involved to follow the policies of a large number of partners and vendors should consult in order to obtain this information. - article 5, paragraph 1, point e) GDPR, due to non-compliance with the principle of storage limitation. A cookie must have a lifespan that is directly related to its purpose 85 CJEU, C-673/17, 1 October 2019, ECLI:EU:C:2019:801. 86 CJEU, C-210/16, 5 June 2018, ECLI:EU:C:2018:388., Judgment on the merits 85/2022 - 54/58 what it is used for and should be set to expire when it is not longer, taking into account the reasonable expectations of the user. - Article 7, paragraph 3 of the GDPR, for failure to ensure that the withdrawal of the consent to the placement of cookies is just as simple as granting it. More specifically, it is established for the website www.levif.be that the withdrawal of the consent is technically impossible via the cookie management tool, because this management tool blocks and a black screen appears. From the technical analysis of the website www.knack.be it appears that the withdrawal of consent is ineffective, as it number of cookies does not decrease after returning to the minimum choices. The Defendant neither denies nor refutes this finding and states in its reply that this problem was due to a bad configuration of the cookie tool OneTrust. 163. As a result of these infringements, the Disputes Chamber decides to impose a administrative fine of EUR 50,000 to the defendant for the aforementioned infringements. The The Disputes Chamber also decides to order the defendant to process the align personal data with the applicable provisions of the data protection legislation within a period of 3 months from the date of receipt of the present decision. 164. It should be noted in this regard that the administrative fine is not for to end an offense committed, but vigorously enforce the rules of the GDPR aims. Indeed, as can be seen from recital 148 of the GDPR, the GDPR presupposes that in any serious infringement – thus also in the event of an initial finding of an infringement – penalties, including 87 administrative fines, in addition to or instead of appropriate measures. Hereafter, the Disputes Chamber shows that the infringements committed by the defendant of the the aforementioned provisions of the GDPR in no way concern minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in recital 148 AVG, where in either case a fine may be waived. The fact that it is a first determination of a breach of the GDPR committed by the defendant, thus raises 87 Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties, including including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in lieu of appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If it is a small infringement or if the expected monetary fine would cause a disproportionate burden and on a natural person, instead of a fine are chosen for a reprimand. However, the nature, severity and duration of the the infringement, with the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement came to the attention of the supervisory authority, with compliance with the measures taken against the controller or processor, with the affiliation with a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including administrative fines must be subject to adjusting the procedure and guarantees in accordance with the general principles of Union law and the Charter, including an effective remedy and a fair administration of justice. [own underline], Decision on the substance 85/2022 - 55/58 in no way prejudice the ability of the Disputes Chamber to file an administrative impose a fine. The Disputes Chamber imposes the administrative fine in application of Article 58(2)(i) GDPR. The instrument of administrative fines in no way serves the purpose to end infringements. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders referred to in article 100, §1, 8° and 9° WOG. 165. Taking into account Article 83 AVG, the Disputes Chamber motivates the imposition of a administrative sanction in concrete terms: a) the nature, seriousness and duration of the infringement (Art. 83.2 a) GDPR): the infringements found include a violation of the provisions of the GDPR relating to the principles of data protection (Art. 5 GDPR) and the lawfulness of processing (Art. 6 (1) GDPR) as well as transparency (Art. 12 et seq. GDPR). A violation of the aforementioned provisions gives subject to the highest fines in accordance with Art. 83(5) GDPR. It should also be noted the scope of the processing in terms of number involved. The websites concerned belong, according to figures from the Center for Information about the Media (CIM) among the twenty most visited media websites in Belgium, increasing the number of stakeholders can by definition be called significant. b) the previous relevant infringements by the controllers (Art. 83.2 e) GDPR): the defendant has never been the subject of an enforcement procedure of the Data Protection Authority. h) the way in which the DPA became aware of the infringement (Art. 83.2 h) GDPR): the infringements were not reported by the defendant but were established in the context of an investigation by the Inspectorate on the own initiative of the GBA Management Committee. 166.On April 20, 2022, a sanction form (“form for response against intended sanction”) forwarded to the defendant. In this sanction form, the present decision infringements, as well as the amount of EUR 50,000 that is the intended amount for the fine applies. On 11 May 2022, the defendant submitted its response to this sanction form to the Dispute room. 167. In summary, the defendant states in this reply: (1) According to the defendant, the infringements occurred only for a limited period of time, since the defendant only used the OneTrust cookie tool for 7 months. 88As well as the case law of the Marktenhof, cf., among others, the Brussels Court of Appeal (Markenhof section), X. N.V. t. GBA, Judgment 2020/1471 of 19 February 2020., Decision on the substance 85/2022 - 56/58 2) According to the defendant, the Disputes Chamber incorrectly refers to a “large number” parties involved”, where, according to the defendant, the Disputes Chamber does not demonstrate which concrete order this goes. According to the defendant, the CIM ranking gives “no” indication of the number of visitors”, or those involved – as only the visits are measured. After all, multiple visits can be attributed to the same data subjects, inter alia because data subjects access the defendant's websites via various visit devices. 3) The defendant also states that it has complaints relating to the methodology which determines the amount of the fine, and makes the comparison with the fines imposed abroad for similar infringements. It also states that the proposed fine is “disproportionate” to the modest turnover that its (investigated) websites collected from digital advertisements. 4) Finally, the defendant states that the turnover to which the sanction form refers is this of the entire group, and that this turnover may not be fully taken into account for the calculation of the fine, as not all subsidiaries are part of “same economic unit”. 168. As regards the defendant's first argument in its reply to the fine form, the Disputes Chamber refers to the findings made by the Inspectorate on a number of concrete points in time within the period of its investigation. The fact that a change in the management of the defendant's websites took place after these findings, without prejudice to the infringements established at those times. It is true that the The Disputes Chamber can take into account an improvement of the situation during the procedure with the Data Protection Authority, but this is required admittedly that the defendant indicates inconcreto why and how a certain changed situation can be considered a mitigating circumstance. In this regard, the defendant does not demonstrate that it longer use of the OneTrust cookie tool means that the situation for data subjects in the processing of personal data has subsequently been improved. 169. With regard to the second argument, the Disputes Chamber points out that, although the CIM figures to which, among other things, the Inspectorate referred to in its reports does not provide a concrete indication of the number of people involved, these figures do provide a general indication of the popularity of news websites. The fact that the various organs of the Data protection authority not demonstrating in concrete terms how many data subjects are affected by the activities of a particular controller against which a enforcement proceedings are underway, does not mean that indications of the magnitude of the number of persons involved may not be relevant for the determination of the seriousness of one or more multiple breaches of personal data protection legislation, in particular the, Decision on the merits 85/2022 - 57/58 impact on a certain order of magnitude on those involved. A comparison can be made with a situation in which the number of persons involved cannot be accurately determined, but where there is are indications of the concrete number of those involved. 89 Mutatis mutandis shows the fact that the defendant the (generally stated) order of magnitude of the number of data subjects who use its websites visit, dispute, without providing any evidence to the contrary that it concerns a different order, insufficient to explain why the CIM figures cannot provide an indication of the magnitude of the number of stakeholders. 170. As regards the third argument relating to the amount of the fine, the The Disputes Chamber points out that placing cookies in this matter is a commercial matter for the defendant, in which it has significant financial interests in acquiring the linked ad revenue. The Disputes Chamber refers, for informational purposes, to the directives on administrative monetary sanctions, which were in force at the time of the determination of the 90 Inspection service, and the transfer of the fine form, had not yet been accepted. 171. As a fourth argument, the defendant cites that the Disputes Chamber does not demonstrate that the companies that fall under its umbrella group, are part of the same economic unit. The Disputes Chamber points out in this regard that during the proceedings have arisen against the defendant as a group, and in the proceedings also the defendant appointed in that capacity. In addition, the defendant refers in its reply to the sanction form itself to itself under its legal form as a group, without distinction between the alleged various economic activities, or without present as part of a (segregated) economic activity. The Dispute Room emphasizes that it can impose fines on the basis of the turnover of a full 91 company, which is undeniable of the group as a legal entity. Superfluously the Disputes Chamber points out that supervisory authorities have the power to – subject to adequate justification – to impose fines of up to 10,000,000, resp. EUR 20,000,000, irrespective of the size of the undertaking, but depending on the type of infringement. 92 172. The whole of the elements set out above justifies an effective, proportionala deterrent sanction as referred to in article 83 AVG, taking into account the certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2. 89Dispute ChamberGBA,Decision4/2021of27January2021,46;an appeal againstthisdecisionwasdeclaredunfounded;Court of Appeal Brussels (Marktenhof), 7 July 2021, 2021/AR/320. 90 Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 16 May 2022, available at: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en. 91Article 83, paragraphs 4, 5 and 6 GDPR. 92 Ibid., Decision on the merits 85/2022 - 58/58 GDPR in this case are not of a nature that they lead to an administrative fine other than that which the Disputes Chamber has determined in the context of this decision. IV. Publication of the decision Given the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision is published on the website of the in accordance with Article 95, §1, 8° WOG Data protection authority with indication of the identification data of the defendant and this because of the specificity of the present decision – which means that even in the case of omission of identification data makes re-identification unavoidable or at least very probable – as well as the public interest of this decision. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - pursuant to Article 58, paragraph 2, point i) j° Article 83 GDPR and Article 100, §1, 13° WOG a to impose an administrative fine of EUR 50,000 for the violation of Article 6(4) 1 GDPR j° Article 129 WEC; Articles 4(11) j° 6(1)(a) and 7(1) GDPR; Articles 5, paragraph 2 and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR. - order the defendant pursuant to Art. 58, paragraph 2, point d) GDPR and Art. 100, § 1, 9° WOG to the processing of personal data in the context of which various infringements were established in the present decision and for which pursuant to the first indent of this operative part a fine was imposed, to be brought in line with the provisions of the AVG within a period of 3 months to be calculated from the receipt of the decision on the merits and to provide evidence thereof. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (Get). Hielke Hijmans Chairman of the Disputes Chamber