LfD (Lower Saxony) - 4.2 05475-02-0301/21

From GDPRhub
Revision as of 13:54, 18 July 2023 by Mg (talk | contribs)
LfDI - 4.2 05475-02-0301/21
LogoDE-NI.jpg
Authority: LfDI (Lower Saxony)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.05.2023
Published:
Fine: n/a
Parties: www.heise.de
National Case Number/Name: 4.2 05475-02-0301/21
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: LfDI (Lower Saxony) (in DE)
Initial Contributor: mg

A German DPA found that a "pay-or-okay" system on the main webpage of a media outlet is, in principle, permissible. However, in the case at hand the legal requirements for obtaining consent were not fulfilled.

English Summary

Facts

In 2021 the controller, a media outlet, changed the cookie-banner on its website. The new website implementation gave the user alternatively the option to consent to the processing of personal data for the purpose of personalised advertising or to buy a subscription which enabled the use of the controller’s website without trackers and external advertisements.

Several complaints to the DPA for Niedersachsen followed, including one where the data subject was supported by the NGO noyb.

In 2023, the controller changed the cookie-banner.

Holding

The DPA investigation led to the conclusion that not strictly necessary cookies were installed on the user’s device even before the latter actually interacted with the cookie-banner. Under the GDPR, previous consent by the data subject was required. In automatically installing cookies and other non-necessary technologies before any user’s interaction with the cookie banner, the controller violated Article 6(1)(a) GDPR.

The DPA also stated that in the first layer of the cookie-banner at least the following pieces of information should be clearly stated for the consent to be validly given:

  • concrete purposes of the processing,
  • information that that personal data were matched with data from other sources in order to profile the data subject,
  • information that personal data were shared outside the EEA,
  • the number of other controllers to which data are disclosed.

The DPA stressed how these pieces of information were either completely absent from the first layer or located below the “accept button”, i.e. in a place that the data subject would have looked at after having given their consent.

Another problematic point was that it was not clear whether the explanations provided in the first layer referred to the subscription option, the option with trackers or both. The DPA also held that the use of the word “accept” instead of “consent” did not give the data subject the impression that they had a free choice.

Furthermore, consent was not specific which is a direct consequence of the lack of information regarding the data processing. A blank consent, as implemented on the website, is not valid.

Concerning the lawfulness of the so-called pay-or-okay model, the supervisory authority referred to the criteria of the Conference of German Data Protection Authorities (DSK), which stated that the approach as such does not violate the GDPR as long as subscribers and users are offered a similar or the same service if they wish to pay.

On the surface, this seemed to be the case with the present controller. However, a closer look showed that the “accept option” entailed consent not only to advertising trackers but also to personalized content, products development and others. The DPA referred to the EDPB Guidelines 05/2020 on Consent under Regulation 2016/679, according to which consent must be “granular”, i.e. it must be specific with regard to the single purposes and processing operations. In this case, users not willing to pay could not select purposes and processing operations, but had rather to provide a broad and unspecific consent. Such a consent was not valid.

The DPA also found that the withdrawal of consent was not an easy operation for the data subject.

In light of the above, the DPA issued a warning against the controller pursuant to Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

- 3 -





local storage objects set and user data beyond what is necessary for the use of the website
processed. At this point, 7 first-party cookies, 15 third-party cookies, 16 objects
detected in browser local storage, 28 third party hosts and 17 web beacons.

The data protection check of the website www.heise.de on July 14, 2021 also has
The result is that a user registered as a pure subscriber has at least

     • 10 first-party cookies
     • 13 Third Party Cookies

     • 10 third party services
     • 8 local storage objects
and at most
     • 10 first-party cookies

     • 15 Third Party Cookies
     • 29 third-party service providers
     • 16 local storage objects
     • 17 web beacons (tracking pixels)

were included on the website or have been delivered from the website.
If a non-subscriber has clicked on the "Accept" button to use the website without a pure subscription

to be able to read are
     • 7 first-party cookies

     • 73 third-party cookies
     • 78 third-party services and
     • 12 local storage objects
integrated on the website or delivered from the website, which leads to processing

processing of user data.
The registration as a Heise Pur subscriber was carried out via the "Register" button in the header of the website

or via the "Register now" link in the consent banner.
The evaluation of the consent banner on July 14, 2021 led to the following statements regarding the consent

number of third-party services used on the website, both for use with advertising and for
Use via the Pur subscription: - 5 -

































More information was found on this. The purposes listed as a drop-down menu corresponded to the
IAB Europe industry association Transparency and Consent Framework (TCF) 2.0 terminology. we
the user could still within the drop-down menu on the second level of the consent banner

make individual settings. There was only the option of pressing one of the two buttons with the
drawing to click "Close", after which the privacy manager closed, but the posts on the
website were still unreadable for the user.

The warning was based on the results of the technical check and the inspection dated
July 14, 2021. The results of the technical test largely correspond to the
of the complainant when visiting the website on July 27, 2021. The consent bank

At this point in time, this corresponded to that at the time of the subsequent complaints, in particular
the complaint dated August 13, 2021. The consent banner was not changed significantly until January 2023
changed so that today it no longer corresponds to the consent banner to which the complaints relate
relate.


  II. Legal assessment

As the supervisory authority for data protection, the State Commissioner for Data Protection monitors
Saxony (LfD Lower Saxony) the application of the provisions of the General Data Protection Regulation (GDPR),
the Federal Data Protection Act, the Lower Saxony Data Protection Act and other regulations
about data protection by non-public bodies and public bodies in Lower Saxony. - 6 -





The warning is based on Article 58 (2) (b) GDPR. After that, I am authorized to manage responsible
If you have violated the General Data Protection Regulation with processing operations. With
the warning, the data protection violation is bindingly determined.

Due to the high number of detected local storage objects, tracking techniques and third party services,
which were included on the website at the time of testing, no legal evaluation is made in this regard.
each individual object. The data protection check was also based on the data subject in

Procedure 4.2 05475-02-0301/21 object of the complaint of the lack of legality of the
Processing of personal data by "for web analysis and personalized advertising (tracking)". In the
At the core, all complaints filed are directed against the pur subscription module integrated in the consent banner.
dell, through which people who do not take out a Pur subscription and the contents of the website www.heise

wanted to know about the use of cookies for web analysis and personalized advertising
(Tracking)” had to agree.

To 1.: Violation of Art. 6 Para. 1 DS-GVO
Based on the use of cookies, local storage objects, other tracking techniques and integration

processing of personal data of users of the website based on third-party services
www.heise.de has on July 14, 2021 and during the entire period in which the website and in particular
the consent banner corresponded to the status of the examination day, against Art. 6para. 1DS-GVO violated, since
the requirements for an effective consent according to Art. 6 Para. 1 lit. a DS-GVO were not met.

Processing of personal data in accordance with Art. 4 No. 1 DS-GVO

The technical review of the website www.heise.de on July 14, 2021 showed that the first
once called up in the browser and before the user had carried out any actions on the website,
in particular before buttons available in the consent banner have been clicked, cookies as well
local storage objects set and personal user data, IP addresses and browser information
have been processed beyond what is necessary for the use of the website. There have been to this

Time 7 first-party cookies, 15 third-party cookies, 16 objects in the browser's local storage, 28
Third party hosts and 17 web beacons detected.

Some of these processes led directly to the processing of personal data. When calling the
website www.heise.de, the IP address and browser data of the users were used by numerous third-party servers
transmitted to service providers. The same applied to the objects that were stored in the local storage as well
for web beacons. According to the established case law of the ECJ, the IP address is independent of

of whether it is dynamic or static, a personal datum.
Irrespective of this, all of these objects led at the latest when they were
calling up the website were read out, in particular by the third-party service providers, for processing

personal data. The unique user identification numbers contained in cookies
transmitted to a wide variety of servers from numerous companies. From the name of the Coo-
kies "cid", which could be assigned to the Adform service, it follows, for example, that this service has an ID in
Cookie placed. In the data protection declaration available on July 14, 2021 on the website www.heise.de

was also pointed out that the cookies used on the website regularly generate an IDent
hold: - 7 -


















In the consent banner available on the website www.heise.de on July 14, 2021 and in particular

at the second level "privacy manager" no clear differentiation was recognizable as to
which data processing that took place in connection with the integration of third-party services
consent is supported and which are not. Both on the first page of the consent banner
as well as in the privacy manager, the consent of the user was used. Nevertheless, on the
second level "Privacy Manager", which opened after clicking on the corresponding link, the following

the eight providers under the heading "Functional Uses" and the subcategory "Essential"
listed and their use described as necessary: - 8 -





The representation is interpreted to the effect that these services are based on a different legal basis
Art. 6 (1) GDPR than the consent pursuant to Art. 6 (1) lit. a GDPR was based. services on
were used on the website and do not require consent in accordance with Article 6(1)(a) GDPR

not subject to this decision.
The listing in the Privacy Manager did not fully match the results of the technical review
when the website www.heise.de was first called up on July 14, 2021, when connecting to the following

Servers of third-party service providers have been identified:

    • cdn.thenewsbox.net
    • fonts.gstatic.com
    • i.ytimg.com
    • securepubads.g.doubleclick.net

    • www.google.com
    • www.googletagmanager.com
    • www.gstatic.com
    • www.youtube-nocookie.com

    • yt3.ggpht.com.
It is assumed that these server calls are due to the integration of the third-party services The News Box, Google Fonts,

Google Tag Manager, Doubleclick and Youtube.
Irrespective of this lack of transparency regarding the legal basis, the consent pursuant to Art. 6 Para. 1

lit. aDS-GVO prior consent. It must be obtained before the person responsible starts processing
of the personal data for which consent is required (EDPB, Guidelines 05/2020 on
Consent pursuant to Regulation 2016/679, version 1.1, adopted on May 4, 2020, paragraph 90). Due to the
technical design of the website, this requirement for the named cookies, local storage
cher objects and transmissions of user data to third-party services at the time the website is called up

Browser not satisfied with no previous user actions.
Invalidity of the consent according to Art. 6 Para. 1 lit. Art. 4 No. 11 and Art. 7 GDPR

On the website www.heise.de, the processing of personal user data from persons who
were not registered as a pure subscriber on the website, in connection with the extensive

set of cookies, other tracking techniques and the integration of third-party services based on consent
in accordance with Article 6 (1) (a) GDPR. The requirements for effective consent in accordance with Article 4
No. 11 and Art. 7 DS-GVO were not available.

As already explained, the website www.heise.de offered two options for use - either "With
Advertising and cookies” if the user, by clicking on the “Accept” button, accepts a comprehensive
has given consent, or "ImPur-Abo". From the Pur subscribers, via the consent
ner did not obtain any data protection consent, but only from the non-subscribers. This one

consent did not meet the requirements of the General Data Protection Regulation and was therefore invalid.
The requirements for data protection-compliant consent are set out in Art. 4 No. 11, Art. 7 and - additionally

in relation to the consent of minors - Art. 8 DS-GVO. According to Art. 4 No. 11 DS-GVO
a consent of the data subject each freely for the specific case, in an informed manner and
unequivocally given expression of will in the form of a declaration or any other clear statement
confirmatory action by which the data subject indicates that they consent to the processing of the - 9 -





agrees to the personal data concerning them. Art. 7 DS-GVO provides further conditions for
valid consent. Art. 8 DS-GVO also regulates supplementary conditions in the event that

that a child's consent should be obtained in relation to information society services.
These legal requirements essentially result in the following test points for the assessment

division of the effectiveness of the consent:
    • time of consent,

    • extent to which the consent was informed,
    • for the specific case,
    • clear affirmative action,
    • Voluntary consent, in particular no inadmissible influence on the user decision (so-called

        nudging),
    • withdrawal of consent,
    • Consent for data processing by minors.

Consents given via the consent banner on the website www.heise.de in the design, such as
they were available on July 14, 2021, have been submitted by the user of the website, in particular met the requirements
demands to be informed and to be voluntary.

After calling up the website www.heise.de, the following consent banner appeared: - 10 -






































The information provided in advance met the requirements for informed consent
Art. 4 no. 11 and Art. 7para. 3 sentence 3 DS-GVO. When using a consent banner, the first
level, not all information is comprehensively displayed. But those affected are on first
level, without having to open additional windows, to provide the following information:

    • specific purposes of processing,
    • if applicable, that individual profiles are created and combined with data from other websites

        comprehensive user profiles are enriched,
    • if applicable, that data will also be processed outside the EEA and
    • to how many responsible persons the data will be disclosed.

Art. 7 Para. 3 S. 3 DS-GVO also results in the obligation of the operator of the website to protect data subjects
point out your right of withdrawal before you give your consent.

On the first level of the consent banner on the website www.heise.de, the user was only given the
given in red-framed information in the previously inserted screenshot. Below this short text
there was already a button labeled "Accept". By clicking this button
should the user already give their consent. There was no other level of consent

ners another button through which users could have given their consent. About clicks on
the links "Privacy Manager" and "Privacy Policy" gave the user more information, - 11 -





however, only on the second level of the consent banner or separately from the one on the website
available privacy policy.

In the text above the "Accept" button there was no indication that the user of the website
should give consent under data protection law. It wasn't even remotely processed
informed of personal data, but only on the use of cookies. There weren't any
specific purposes of processing are listed, but only as purposes "web analysis and personal

ted advertising (tracking)”. This purpose satisfied the requirement of the designation
specific purposes. In particular, there was a lack of information about the fact that personal
Genetic data are processed, individual profiles are created and combined with data from other websites.
Comprehensive usage profiles are enriched, data to other responsible persons on a very large scale

be transmitted - a specific number of recipients of data must be specified.
Finally, there was a note below the "Accept" button that the consent of any

time could be revoked. However, this only took place after the user had already given his consent
should have submitted.

The same applied to the following additional information:









Although reference was made to "partner" and third-party cookies, the specific number was not specified
did not identify the partner, nor did they list any alternative tracking techniques used on the
website are used.

Also clearly below the "Accept" button, the processing purposes "In-
store and/or retrieve information on a device" and "Personalized ads and content,
show and content measurements, insights into target groups and product developments" each with to public

named further information. These were predefined purposes of the TCF 2.0. At
For the second purpose, several purposes – presumably numbers 2 to 10 – were combined.

The consent banner was divided vertically into two columns in the upper half - on the left the usage variable
ante “With advertising and cookies” and on the right “In a pure subscription”. The following information extends
however, spread across the entire width of the consent banner and therefore generally referred to
both uses. The first paragraph was only exclusively for the usage variant “With advertising
and cookies” because it was preceded by “For use with advertising and cookies”. Both

other processing purposes listed in a new paragraph lacked this addition. Here remained unclear
whether it should also only refer to the usage variants "With advertising and cookies".

In the short, preceding information text and the reference to the right of withdrawal below the
button, the term "agree" or "consent" was used
the consent. The labeling of the button with "Accept" was not made clear to the user.
clear that by clicking on the button he is making a legally binding declaration in the form of a data protection
gave legal consent. The designation "Accept" can generally also be used in the direction - 12 -





be understood that something is "accepted" or "approved" - the acceptor has no real
che option sees.

Consent was not obtained “for the specific case”. This results directly from the inappropriate
sufficient information as well as the very high level of com-
complexity of the processing of personal data that should be covered by the consent.
In a specific case, consent is only given if the content, purpose and scope of the

statement are sufficiently specific. (Federal Court of Justice, judgment of May 28, 2020 - I ZR 7/16, NJW 2020, 2540, 2544 with further references.
-Cookie consent II.).
additionally ineffective (see Arning/Rothkegel, in: Taeger/Gabel, DSGVO - BDSG - TTDSG, 2022, Art. 4 DS-GVO, Rn.
329).

queried.
The users have not given their consent voluntarily in accordance with Art. 4 No. 11 DS-GVO. The requirement of

It was not voluntary for a number of reasons. A declaration of intent is only given voluntarily
if no pressure or coercion is used to induce the data subject to consent.
Recital 42 GDPR explains that it should be assumed that the data subject
person then “has given their consent voluntarily if they have a real or free choice and are therefore in
able to refuse or withdraw consent without suffering detriment”.

In the EDPB Guidelines 05/2020 on consent under Regulation 2016/679, paragraphs 13
and 14 executed on a voluntary basis:

        "[13] The element "free" implies that the individuals concerned have real choice and control
        have. In general, the GDPR stipulates that consent is not valid if the

        affected person has no real choice, feels pressured into consent or experiences negative effects
        must suffer if she does not consent. […] Accordingly, consent is not considered
        considered voluntary if the data subject does not refuse or withdraw consent
        can without suffering any disadvantages. The GDPR also introduces the concept of “imbalance” between
        between the controller and the data subject.

        [14] […]. In principle, any form of unreasonable pressure or
        influence (which can manifest itself in many different ways) on the affected person

        son who prevent them from exercising their free will are ineffective.”
Due to the specific design of the consent banner on the website www.heise.de am

July 14, 2021, a choice was initially guaranteed by the fact that the user on the first
At the consent banner level, the alternative to purchasing a pure subscription was given. The
Conference of data protection officers of the federal and state governments (DSK) has the assessment standards for
the so-called pur-subscription models in the resolution “Assessment of pur-subscription models on websites” of March 22, 2023
set forth. No. 2 of the resolution concerns the question of whether the payment option is an equivalent alternative.

compared to the consent and reads as follows:
        “Whether the payment option – e.g. B. a monthly subscription - as an equivalent alternative to the

        ligation to be considered in the tracking depends in particular on whether the user is against a
        equivalent access to the same service is provided at a standard market fee. an equivalent
        geraccessisusualiftheoffersatleastessentiallythesameservice
        include." - 13 -





In principle, the Pur subscribers and users of the website who give their consent receive the same
certain content is displayed on the website. The equivalence of the service is therefore given in principle.
However, no equivalence is to be assumed insofar as the consent is significantly more comprehensive than

it is presented to the user on the first level of the consent banner.
The first level of the consent banner suggested to the users that the Pur subscription was the
ad-free reading of www.heise.de (“without tracking, external banner and video advertising”) and

presented the alternative for reading www.heise.de with consent to advertising and tracking. The-
nor did general consent have to be granted for numerous purposes that were not directly related
related to advertising and tracking.

On the first level of the consent banner, the following purposes have been defined for "use with advertising
and Cookies” listed:








This information showed that the consent not only required tracking and personalized advertising
but purposes that have no direct connection to advertising, such as e.g. information

storing and/or retrieving functions on a device, personalized content, content measurement and product
developments. On the second level, the purposes "Functional", "Functional uses
purposes" and "additional functions" are listed, which, according to their designation, in contrast to the
exercise stand

In the TCF 2.0, personalized ads (advertising) and personalized content are clearly differentiated from each other.
renced. Content means articles on the media site and not just ads (advertisements). For
Content there is the TCF 2.0 purposes "Create a personalized content profile", "Personalized content

choose” and measure “content performance”. The TCF 2.0 purposes “A personal
nalized ad profiling, select personalized ads, and measure ad performance.
These purposes are summarized in the consent banners.

In addition to the equivalent alternative, the voluntary nature of the consent of non-subscribers requires that
granular consent can be given. In this regard, the EDPB takes the following legal view (cf.
EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, para. 43 f):

        “Recital 43 clarifies that consent is not considered freely given if
        the process/procedure for obtaining consent from data subjects does not allow
        separate consent to various processing operations of personal data

        to grant permission (i.e. only for some processing operations and not for others), although this is
        would be appropriate in the relevant case. Recital 32 states: 'Consent should
        refers to all processing operations carried out for the same purpose or purposes
        relate. If the processing serves multiple purposes, for all of those processing purposes
        consent to be given'.

        If the controller has combined different purposes for the processing and not
        attempts to obtain separate consents for each purpose lack freedom. This granularity - 14 -





        is closely related to the requirement that consent be given for the specific case. This
        is discussed below in Section 3.2.
        follows, the solution to compliance with the conditions for valid consent lies in the granule

        rity, d. H. in separating those purposes and obtaining consent for each purpose.”
In No. 4 of the above-mentioned resolution of the DSK, according to the statements of the EDSA, the requirement

of the granularity of consent.
By clicking on the "Accept" button on the first level of the consent banner - i.e. one
Action of the user - if numerous consents for numerous processing processes through numerous

may be obtained from different service providers. This “bundled” consent is used in the context of
Although websites are not generally considered to be a violation of the provisions of the General Data Protection Regulation,
evaluates. However, a bundling of individual consents, as outlined by the EDSA, is not unrestricted
allowed.

Assuming that the differentiation of the purposes defined by TCF 2.0 is considered sufficient
would have had to be obtained for each purpose.Usersofthewebsitehad

at least the possibility must be given to decide with regard to each of the seventeen purposes
divorce, whether he consents or not. In the consent banners on the website www.heise.de
the user has no choice - neither in relation to the various purposes, nor in relation
on the countless providers – granted. The only option was to consent unreservedly to everything
or to use the website with the Pur subscription. In addition, on the second level was obfuscated,

for how many individual purposesconsent should be obtained.Instead of directly
listing all 17 purposes of the TCF 2.0, only five purposes were listed as quasi-overarching purposes
and the other purposes are only mentioned at lower levels in the context of drop-down menus. a procedure
in which no attempt is made to comply with the above specifications with regard to granularity
ten, and in which a "flat-rate consent" is compared to a subscription variant, no

appropriate balance between the fundamental right to data protection according to Art. 8 EU-GRC and Art. 16 EU-GRC
be.

Consent is not voluntary even if the data subject does not refuse consent
or withdraw without suffering any disadvantage. This is also included in the General Data Protection Regulation
The concept of "imbalance" between the controller and the data subject is taken into account.

Even if the user had tried to provide all the necessary information before giving the consent
to take cognizance of it by looking at both the information in the privacy manager and in the data
declaration, this was made much more difficult for him. By designing the consent
banners on the second level, the user first had to open several sub-windows with several clicks,

before he can only get a rough idea of the scope of the processing and – above all – the enormous number of
integrated provider. Especially with the provider overview, the user would have a significant
spend time scrolling through this list just once without actually reading it.

The user therefore had to put in a considerable amount of extra effort if he
wanted to inform a scope before consent. The additional effort was due to the design of the
approval bannerartificially constructed
second and further levels of the consent dialogue, read and understand. The-

This additional effort was not marginal, but a noticeable disadvantage for those affected compared to subscribers
name. Ultimately, the user received further information from the so-called privacy manager, but none - 15 -





Possibility to individually configure the integration of cookies and third-party services in any way
gurieren – i.e. to “manage”.

The overall design of the consent banner on the www.heise.de website was the result of many individual
Design features aimed at an inadmissible nudging. This is a methodical one
Procedure to specifically influence the behavior of users in their own interest. The user was
as the only alternative to comprehensive consent, the possibility of canceling the pure subscription

close. The buttons for giving the consent "Accept" on the first level of the consent
Promotional banners were in bright blue with white lettering. The button for completing the
Pur subscriptions was white with black lettering, making the button just through
black border stood out against the background of the consent banner, which was also white. The button

for consent was designed much more conspicuously, although Heise Medien when concluding a pur-
subscriptions, a direct monetary consideration for the services presented on the website www.heise.de
animal journalistic content would have received.

Art. 7 Para. 3 S. 4 DS-GVO also requires that the revocation of the consent be as simple as the granting of the
consent must be given
were made, it should also have been possible to revoke them in this way. Was the website www.heise.de
usable without a consent banner was at the very end of the website - it takes a long time to scroll down

required – a link labeled “Cookies & Tracking”:





If the user clicks on this, the "Privacy Manager" opens: - 16 -




































However, contrary to expectations, this did not contain any possibility for the user of the website to
revoke the given "consent". On the left next to the mentioned link there is the link with the
"Privacy Policy", via which the user can access the "Privacy Policy of Heise Medien GmbH & Co. KG"
(https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html). In
this was found in section "7.3 Access to your consent settings" of the reference to the revocation

right, as well as a prominent red button with the white caption Revoke Consent. One click
clicking on this button meant that the next time the user called up the website www.heise.de
the consent banner was displayed and the content of the website is not perceived
could. The user again had the choice of giving consent or taking out a pure subscription.

In order for the revocation to be just as easy for the user as the consent, he must, like the consent
tion can be explained in the consent banner. In search of the possibility of revocation, a
User first clicked on the "Cookies&Tracking" link. Since there is no "Consent revoked" button

call" found, finding the possibility of withdrawal was made more difficult for him and there is the assumption that
that many users have already given up their search at this point. Found in the consent banner
under the "Accept" button there is a note that "Consent" can be accessed at any time via the link
"Data protection" at the end of each page can be revoked. If the user gives his "consent" after the first
had given the website access once, he will presumably not have read this notice and

even if, by the time he has decided to withdraw, he has forgotten again. It
There is no way to directly reopen the consent banner on the first level. Independent
of the extent to which the user has previously (supposedly) consented, he can - 17 -





revoke all consents, but the button is not easy to find. The possibility of withdrawal
on the website therefore does not meet the requirements of Art. 7 Para. 3 Sentence 4 GDPR.

To 2:

The costs of the arrangement procedure are to be borne by Heise Medien GmbH & Co. KG
the violation mentioned above gave rise to my administrative action. The amount of these costs
please refer to the attached notice of assessment of costs, which has its legal basis in §§ 1, 3 and 5
of the Lower Saxony Administrative Costs Act in connection with The cost decision is based on
Sections 1, 3 and 5 of the Lower Saxony Administration Costs Act (NVwKostG) of April 25, 2007 (Lower Saxony

Law and Ordinance Gazette (Nds. GVBl. p. 172), in conjunction with no. 1.11, no. 23 of the cost tariff for § 1
the Ordinance on Fees and Expenses for Official Acts and Services (General Fees
regulations (AllGO) of 05.06.1997 (Nds. GVBl. p. 171), in the currently valid version.


Hints

The violation on which this warning is based can, with regard to the sanctioning of a possible
future violation of the GDPR in the context of the decision to impose a fine
and be taken into account through their assessment in individual cases (Article 83 paragraph 2 sentence 2 letter e DS-
GMO).


Legal appeal

A complaint can be lodged with the administrative court of Han-
nover, Leonhardtstraße 15, 30175 Hanover.






Best regards

On behalf of