AP (The Netherlands) - z-2021-14274
AP - z-2021-14274 | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 02.05.2024 |
Published: | 16.07.2024 |
Fine: | 600,000 EUR |
Parties: | AS Watson (Health & Beauty Continental Europe) B.V. |
National Case Number/Name: | z-2021-14274 |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | ec |
The DPA fined the controller of Kruidvat.nl €600,000 for placing tracking cookies before obtaining consent. The DPA also found that a pre-ticked box for accepting tracking cookies does not constitute freely given, specific, informed and unambiguous consent.
English Summary
Facts
The controller AS Watson (Health & Beauty Continental Europe) B.V. is a financial holding company that manages and operates several wholesale and retail businesses. One of them is Kruidvat, a Dutch retail, pharmacy and drugstore chain.
In 2019, the Dutch DPA (“Autoriteit Persoonsgegevens”) started an investigation into different websites, including Kruidvat.nl, to review whether the websites complied with the GDPR when placing (tracking) cookies. On first glance, the DPA found that the website did not seem to comply with the requirements of obtaining consent under the GDPR. Therefore, the DPA send a letter to the controller on 29 November 2019, which stated that the controller presumably did not comply with the law on obtaining consent for tracking cookies. The DPA encouraged the controller in the letter to change its practices for obtaining consent for tracking cookies.
After multiple reviews, the DPA found that the controller still did not change its practices on 16 June 2020. The DPA therefore decided to launch an ex officio investigation into the controller.
In their investigation, the DPA found that the controller placed tracking cookies before obtaining consent from users via a cookie banner. The DPA also found that “accept all cookies” on the controller’s cookie banner was selected by default. Only after clicking through four different steps, was the user able to reject cookies.
The controller argued that the investigation by the DPA was unlawful, because the cookies they use on their website are not public data and the DPA entered the controller's virtual premises without the controller's consent or knowledge. The DPA also had no legal basis for starting an investigation.
Holding
First, the DPA dismissed the controller’s argument and held that the controller’s website is a publicly accessible website, which cannot be equated with entering a business premise. The DPA also has the authority under the GDPR and the Dutch GDPR implementation law ("Uitvoeringswet Algemene verordening gegevensbescherming"), to investigate and proceed with enforcement if there has been a breach of the GDPR.
Secondly, the DPA found that the controller unlawfully processed personal data of users by placing tracking cookies before obtaining consent, violating Article 6(1) GDPR and Article 5(1)(a) GDPR.
Thirdly, on rejecting cookies via the controller's cookie banner, the DPA took into account the CJEU judgement in case C-673/17 Planet49. According to the CJEU, there is no legally valid consent if the placing of cookies on the data subject’s devises uses a default tick box, which the data subject must uncheck to refuse consent. The DPA therefore held that by using pre-ticked (tracking) cookies, the controller did not obtain freely given, specific, informed and unambiguous consent under Article 4(11) GDPR. The controller thus violated Article 6(1) GDPR and Article 5(1)(a) GDPR for unlawfully processing personal data by not obtaining consent.
The DPA took into account the duration of the violations and noted that the controller changed its practices since 1 October 2020. Now, consenting to cookies is not automatically ticked on anymore. It also does not place cookies anymore before obtaining consent.
The DPA therefore fined the controller €600,000 for violating Article 6(1) GDPR and Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority PO Box93374,2509AJ The Hague HogeNieuwstraat8,2514EL The Hague T0708888500-F088-0712140 Confidential/Registeredautoriteitpersoonsgegevens.nl A.S.WatsonHealth&BeautyContinentalEuropeB.V. Attn: the management PO Box34 3927ZLRenswoude Date Unmarked May 2, 2024 z-2021-14274 Contact [CONFIDENTIAL] [CONFIDENTIAL] Subject Decides to impose an administrative fine for violating the General Regulation data protection Dear members of the management, The Dutch Data Protection Authority (hereinafter: AP) has decided to A.S.WatsonHealth&Beauty ContinentalEuropeB.V. (hereinafter: A.S.Watson) to impose an administrative fine of €600,000 for the violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, of the General Data Protection Regulation (hereinafter: GDPR). The reason for this is that A.S. Watson is not lawful has a basis for processing data because it has failed to consent questions to data subjects for the processing of their data through (tracking) cookieswhenvisitingthewebsitekruidvat.nl. The AP is of the opinion that imposing an administrative fine on A.S. Watson is not only appropriate but also necessary. A.S. Watson has violated the rights and freedoms of citizens by to process their data in an unlawful manner. The AP believes this is serious and is going to do so for that reason aboutenforcementagainstA.S.Watson. This decision explains the administrative fine. This will be discussed in turn reason for the investigation, the findings of the investigation report, the process, the opinion by A.S. Watson, the violation and the amount of the fine. Finally, the dictum follows. 1 Date Unmarked May 2, 2024 z-2021-14274 1. Background investigation 1. A.S. Watson is a company established in Renswoude and active as a financial holding company that offers various wholesale-retailcompaniesmanagedandexploited.Kruidvatiseen subsidiary within the A.S. Watson group. 2. TheFirst-lineResearchdepartmentofthemanagementCustomer ContactsandControllingResearchoftheAP In October and November 2019, we started an investigation into various websites, including kruidvat.nl, to test whether those websites meet the requirements for placing (tracking) cookies are set. It is also checked whether consent from those involved has been requested for processing data by means of (tracking) cookies, as well as the manner in which the giving of this permission had been designed. 3. On 29 November 2019, the AP sent a standard-transmitting letter to A.S. Watson in which indicated that the applicable legal framework was probably not complied with. The AP has met the aforementioned letter to A.S. Watson encouraged the method regarding the consent procedure (tracking) cookies against the light. 4. The AP conducted technical research on April 28, 2020, May 7, 2020 and June 16, 2020 and found that A.S.Watsonhadnotadjustedthemethod. 5. The AP subsequently initiated an ex-officio investigation into a possible violation of the GDPR byA.S.Watson. 2. Findings research reports process flow 6. The findings of the investigation have been recorded in a report. This paragraph summarizes the most important ones findings from this together. 7. A.S.Watson has its head office in the Netherlands. Research report, appendix 8: extract from Chamber of Commerce. 2 File document 1: research report with appendices. 2/29 Date Unmarked May 2, 2024 z-2021-14274 8. A.S.Watsonis responsible for the processing of the GDPR ofkruidvat.nl because it 3 goalsthemeansdeterminesthemethodofquestionsoftoestemmingvankruidvat.nl. 9. The privacy statement ofkruidvat.nl states that advertising cookies and tracking are included in a visit tokruidvat.nl 4 cookies are placed and read. The types of personal data are hereby described basis of processing, the types of cookies as well as the retention period are described. There is also information is given about sharing the collected information with third parties. Finally, the visitor becomes from that website you are informed about the possibility of creating an account and it is visitor is informed about the data required, such as the name and address details, the date of birth, the gender and email address. 10. TheFirst-lineResearchdepartmentofthemanagementCustomercontactsandControllingResearchoftheAP carried out technical research on the websitekruidvat.nl on 28 April 2020 and determined which one cookies, javascripts and web beacons (hereinafter collectively referred to as: ''cookies'') are placed/loaded athet Visitenvankruidvat.nl. Because the visitor has a consent procedure must go through to share certain data (cookie window), the AP has looked at both consent procedure itself and the placement of cookies both before and after going through the consent procedure. 11. It turned out that cookies were used both before and after completing the consent procedure placed.A.S.Watson has been asked about five cookies by the AP, in particular about the type data processing per cookie, whether or not to assign a unique identifier to (the device of) the visitor, the purpose of cookies and finally any processing by and processing agreements with third parties. 12. In response to that request, A.S. Watson provided information to the AP about the five on 21 July 2020 requested cookies. Partly due to the response that A.S. Watson has given in the research report established the following. 13.Thefirst-partyerius_usercookieandfirst_partyunless_visitorIDcookieassignauniqueuserID to the website visitor, with goal personalization and keeping track of (future) repeating visits. 14. The first-partyerius_sess cookie collects information about the specific visit (session) of a visitor device at a certain time. It then depends on which pages are visited, which ones products are added to the shopping cart and which ones are purchased, based on which recommendations is clicked, the email address, user ID, IP address and user agent. The purpose of this cookie is to 3 4Research report, appendix 3: letter from A.S. Watson dated 21 July 2020. Consulted by the AP on September 23, 2020 at 2:07 PM. 3/29 Date Unattribute May 2, 2024 z-2021-14274 to offer this information about the visit a better user experience to the website visitor behind it theuniqueuserID. 15. The first-party cookies also have a certain function determined by technical research validity period: a. peerius_user: until14January204011:39:10am(approx.19yearsand9months) b. unless_visitorID: untilApril 28, 2021 11:39:10 am (approx. 1 year) c. peerius_sess: until28april202015:39:10 (approx. a few hours) 16. The third-partyunlessjavascriptcollectsanalyticaldataperpagevisitbasedon aggregated/aggregated behavioral scores, theURLand so-calledcustomevents.TheIPaddressand user agent is also processed and sent. The IP address is not stored, but used to determine the location of the browser session. All this data is sent by A.S. Watson to a third party that processes this data. The purpose of this processing is personalization and the optimizing the user experience. With this third party, A.S. Watson has processing agreement concluded. 17. The third-party Google Analytics tracking beacon collects data for the purpose of obtaining statistical insights into the use ofkruidvat.nl. This data is sent to a third party (Google) with which a processing agreement has been concluded. 18. Finally, each of the above cookies has been determined to have been placed before the visitor kruidvat.nl had given permission. On May 11, 2021, it was once again determined that the third party was unless JavaScript was executed before permission was given. 19. The way in which A.S. Watson asks the visitor of the websitekruidvat.nl for permission 6 Placing cookies consists of a number of steps. In the first step, two options are displayed: “I agree to the use of cookies” and “Would you like to know more?” 20. In the second step (after clicking on 'Want to know more?') the choice is given between 'Agree continue''and''More information''. 21. In the next step (after clicking on ''More information''), a slider becomes visible with the options ''Functional Cookies'', ''Required Cookies'' and ''Advertising Cookies''. A.S. Watson has ensured that the slider 5 'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see 6research report,p.28. Research report, appendix 5: technical research28 April 2020. 4/29 Date Unmarked May 2, 2024 z-2021-14274 default was set to the option “AdvertisingCookies”. The three other options were “Cancel”, “Send Preferences” and “Advanced Settings”. 22. In the fourth step (after clicking on “Advanced Settings”), separate permission can be given for Functional Cookies and Advertising Cookies by clicking ''allow''. There are also two options: “Cancel” and “SendPreferences”. 23. In step five (after clicking on “Send Preferences”), the website visitor is informed about the fact that the settings have been sent and that the consent procedure is over. 24. The investigation report established that A.S. Watson set permission as the default as the entire 7 procedure will continue as long as no settings are actively changed by the visitor. 25. At the time of the investigation, the Primary Research Department of the management had customer contacts Verifying investigation by the AP on September 4, 2020 determined that asking permission for the placing of cookies had been changed, but that on the same date the ''Advertising cookies'' was still standard were checked. The AP pointed this out to A.S. Watson on 24 September 2020 and to additional questions were asked to A.S. Watson. On October 5, 2020, the AP determined that the consent procedure was adjusted and that there was no longer any question of pre-filled boxes/pre-filled consent. This change is the result of, according to A.S. Watson, the implementation of eLab2.0, in which a future-proof cookie policy is used by means of a technical improvement of the codebasevandewebsitekruidvat.nl. 26. When asked, A.S.Watson indicated that the number of visitors tokruidvat.nl during the period from November 29, 2019 to June 25, 2020 was on [CONFIDENTIAL].It is for A.S. Watson unknown how many unique visitors it concerns because of the possibility that the same user different devices used. 27. The above is done by the department of primary research of management, customer contacts and control Research from the AP was submitted in a report, which report was signed on 1 July 2021 A.S.Watsonissent. 9 7Research report, appendix 5: technical research28 April 2020. 8Research report, appendix 3: letter from A.S. Watson dated 21 July 2020. 9 File document 1: research report with appendices. 5/29 Date Unattribute May 2, 2024 z-2021-14274 28. By letter of 19 August 2021, the Enforcement department of the Legal Affairs Directorate Legislative advice from the AP expresses its intention to move to enforcement. A.S. Watson is included given the opportunity to express her views on the investigation report. 10 11 29. A.S. Watson gave her written opinion on the report on 31 October 2021. 30. By letter dated 14 January 2022, the Enforcement Department of the AP requested additional information requested, to which A.S. Watson responded on January 31, 2022. 31. Due to limited capacity at the AP, this procedure was subsequently halted. On October 11, 2023 hasA.S. Watson explained her views orally. 3. Legal framework 32. For a better readability of this decision, the relevant legal framework is included in the appendix. legal framework is part of this decision. 4. ViewA.S.Watson 33. A.S. Watson has – in short – given the following view on the report. 34. The AP's investigation is unlawful, because the cookies and similar techniques are on the website kruidvat.nl may not be regarded as public data in the AP without prior notice with the permission or knowledge of A.S. Watson to enter her virtual courtyard. In addition, the AP used a 'tool' that is not user-friendly. That is why the AP was forced to to make the results transparent via expensive software that is not available to everyone stands. 35. In addition, there is no legal basis for the investigation that the AP conducted. 36. A.S. Watson cannot deduce from the conclusion in the investigation report which accusation she is facing must defend herself. This has damaged her rights of defence. This is stated in the investigation report it is not clear whether A.S. Watson has committed one or more violations, which violation in which period was committed and what the duration of the offense was. 1 File document 2: Letter of intention to enforce dated 19 August 2021. 1 File document 3: Written opinion of A.S. Watson from 31 October 2021. 6/29 Date Unmarked May 2, 2024 z-2021-14274 37. The AP has not investigated how many users actually register and whether the collected information can be linked to the registration data of users. Nor has the AP investigated for which the cookies in question were used. The AP is therefore in conflict with it principle of care has been taken. 38. The research report did not determine which cookies were placed at the time the option was selected “advertising cookies” was accepted. 39. A.S.Watson did not have the actual or legal options to use cookies identify natural persons. 40. The use of the concept of “personal data” from the Telecommunications Act (Tw) de facto constitutes a unauthorized extension of that concept as included in the AVG. 41. A.S. Watson has not followed visitors to its website on other websites. 42. The number of visitors to the websitekruidvat.nl cannot serve as a basis for determining the size and scope of a possible violation. 43. Withtheacceptdealcheckboxes,visitorsofKruidvat.nlexclude permission has been given for the placement of cookies and similar techniques and therefore no there is an ambiguous given consent. 44. A.S.Watson has not used the tracking functionalities of 'Unless' and 'Peerius' in the period between 1 October 2020 and 11 May 2021 without prior permission from visitors. 45. A.S. Watson had no prior use of Google Analytics in the period from 1 October 2020 permission from visitors is required because from that date Google Analytics will only be used for measuring the qualities and effectiveness of the website. 46. Insofar as there was a violation, the duration was limited to the period between April 28 2020 and 1 October 2020. If there is a violation, then a reprimand would be more proportionate to the standard violated, which can be regarded as a minor infringement. 7/29 Date Unattribute May 2, 2024 z-2021-14274 5. Assessment 5.1 Controller and authorityAP 47. It is established and not in dispute that A.S. Watson is the controller (Article 4, opening words under 7,GDPR). 48. The protection of natural persons in the processing of data is a fundamental right that 12 the AP must monitor as the competent supervisory authority. To comply with this, the GDPR is used 14 the AP has been assigned, among other things, the task of enforcing and monitoring the application of the GDPR. For this To be able to carry out its task, the AP has investigative powers, such as carrying out checks and 15 requisitioninginformation. These investigative powers are used by the inspectors employed by the company APemployment. In the context of an investigation into A.S. Watson, the inspectors of the APde websitekruidvat.nlvisitedwiththeuseoftoolstoconducttechnicalresearch results of this are written down in a report of official action. 49. Thewebsitekruidvat.nl is an accessible website for everyone. That is also exactly the purpose of that website. After all, A.S. Watson uses kruidvat.nl to sell products to consumers online. The public accessibility of this website is (therefore) essential for A.S. Watson. Other than that ASH. Watson states that the websitekruidvat.nl is therefore not equated with a property (or a private domain). Conducting research on a publicly accessible website such as kruidvat.nl is possible in the opinion of the AP, it cannot be equated with entering an office building, a (secondary) branch or another business premises. There is therefore no interference with private life, as A.S. Watson argues. 17 no way. 50. The AP is authorized under the GDPR to investigate the processing of personal data and, where appropriate, the AP can proceed with enforcement when this is the case infringement of the GDPR. in the Implementation Act of the GDPR in Chapter 5 of the General Act administrative law, these powers are further specified. These powers also extend to entering office buildings, (subsidiary) branches and business premises. A.S. Watson's point of view therefore hits no target. 12Consideration 1 of the GDPR article 1GDPR. 13Article 55, first paragraph,GDPR. 14Article 57, first paragraph, suba, GDPR. 15Article 58, first paragraph,GDPR. 16Article 15, first paragraph, UAVG. 17Article 8Convention for the Protection of Human RightsFundamental Freedoms(ECHR). 8/29 Date Unattribute May 2, 2024 z-2021-14274 5.2 Gathering legality evidence 51. Researchers of the AP are on the basis of article 58 of the GDPR, title 5.2 of the General Act administrative law (Awb) is authorized to conduct investigations. In accordance with Article 5:18 of the Awb, they are authorized matters to investigate. In this study, researchers from the AP have the freedom for everyone accessiblewebsitekruidvat.nlvisitedtodotechnicalresearch intotheoperationonthatwebsite of cookies. Such research falls under the authority referred to in Article 5:18 of the General Administrative Law Act. circumstance where a computer program has been used to produce only the results of the Making research transparent does not mean that the evidence gathering is unlawful. From unlawful there is therefore no evidence gathering. 5.3 Principle of due care 52.A.S.Watson's argument that they were wrongly not given the opportunity to respond to the technical investigation of May 11, 2021 and that therefore the AP has acted contrary to it principle of care, fails. And because of the following. 53. The research report shows that technical research has taken place into the cookies on the websitekruidvat.non 28 April 2020, on 7 May 2020 and on 17 June 2020. The researchers of the AP have Following this research, A.S. Watson was asked, among other things, by letter dated 26 June 2020 to provide information about the cookies that the AP researchers use during that investigation encountered. A.S. Watson responded to this on July 21, 2020, after which the researchers September 24, 2020 have asked additional questions. A.S. Watson has also asked these questions responded, on October 5, 2020. Followed up with another technical investigation on May 11, 2021 carried out, but A.S. Watson was not given the opportunity to respond. Well-being research reports and the underlying documents provided to A.S. Watson on 1 July 2021. has taken advantage of the opportunity given to her to express her views on this matter. 54. The results of the technical research, also taken into account by A.S. Watson The views put forward do not, in the opinion of the AP, provide sufficient support for the conclusion that addthevisitorsofkruidvat.nlintheperiodbetweenOctober11,2020untilMay11,2021cookieswerden placed with the aim of processing data before visitors consent had given. This means that there has been no violation of Article 6, first paragraph, of the GDPR in the period between October 1, 2020 and May 11, 2021. 55. In the opinion of the AP, there is no question of acting contrary to the principle of due care. On the contrary, A.S. Watson has not only been given the opportunity to do so at various times questions to answer based on findings by the researchers of the AP, A.S. Watson 9/29 Date Unattribute May 2, 2024 z-2021-14274 has also submitted an opinion. This opinion partly formed the basis for the conclusion of the AP that there is no violation in the period between 1 October 2020 and 11 May 2021. 56. In view of the foregoing, the AP concludes that there is no conflict with it principle of care. 5.4 Processing of personal data 57. This paragraph explains why the AP, unlike A.S. Watson argues, is of the opinion that A.S.Watsonopkruidvat.nl has processed personal data by placing cookies. 58. Visitors to the websitekruidvat.nl have the option to register 18 address, e-mail address, gender, first name and date of birth are registered. According toA.S.Watsonis approximately [CONFIDENTIAL] of the visitors ofkruidvat.nl registered. This means that A.S. Watson of the registered visitors, the aforementioned data is processed before the visitors communicate about it have given permission. 59. In addition, it follows from consideration 30 of the GDPR that natural persons can be linked to online identifiers through their equipment, applications, instruments and protocols, such as internet protocol (IP) addresses, identification cookies, or other identifiers such as radio frequency identification tags. This can leave traces, especially when they are with unique identifiers otherinformationreceivedbytheserverscanbecombinedandusedto to set up profiles of natural persons and to recognize natural persons. 60. A.S.Watson assigns a unique user ID (or visitor ID) to each visitor using cookies, such as highlighted in margin numbers 13 to 17 of this decision. 61. The unique user ID that is the first party cookie 'peerius_user' and the unique visitor ID that is the first party cookie Link 'unless_visitorId' to a visitor, with the aim of tracking returning visitors. This means that a visitor who has previously visitedkruidvat.nl can be identified with a unique one user-IDofvisitor-IDandtheIP-address. 62. AlsousesA.S.WatsonUnlessons'thirdpartyjavascriptandthirdpartytrackingbeacon GoogleAnalytics.Collects data to serveUnless andGoogleAnalytics21 1Research report, p.11 (and appendix 9 to the research report). 1Speaking notes and opinion session11 October 2023, margin number 3.7. 2'aggregatedbehavorialscores,URL,customevents,IPanduser-agent',see research report,p.27. 2'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see research report,p.28. 10/29 Date Unmarked May 2, 2024 z-2021-14274 sent with the aim of creating a personalized experience based on the unique user ID or visitor ID.UnlessonsGoogleAnalyticscanthusbebasedonthiscollecteddataand data they have available to provide a personalized experience back to the website kruidvat.nl. 63. This personalized experience together with the unique user ID or visitor ID makes that of the visitors vankruidvat.nl profiles are made. In addition, A.S. Watson can also create interest profiles for himself set up personalization purposes by processing data including the navigation behavior on the web pages (pages viewed) and products added to the shopping cart and purchased products, geolocation and IP address. Kruidvat.nl offers a very wide variety of products. It can concern health products, care products, household products, but also electronics, toys and baby products. In particular, viewing them in context with the shopping cart added products, purchased products and geolocation (via IP address) linked to unique user ID orvisitor-ID can sketch a very specific and invasive profile of the visitors ofkruidvat.nl. 22 64. In this context, the AP notes that A.S. Watson itself indicates in its privacy policy that it personal data of visitors is processed. Visitors are explicitly mentioned in the privacy policy informed about the processing of their data. Examples are: “In this privacy policy we explain what types of data we collect[…]”; 23 “What data may we collect? Information about the type of browser you use when visiting our Sites, your IP address and device address, hyperlinks you clicked, the previous website you visited before coming to our Sitesinformation collected by cookies or similar tracking systems. Your username, profile photo, gender, networks and all other information you want to share when you use third-party sites (such as when you like "Like" 24 functionalityonFacebookused)”; and “We can also tailor our Sites and our products to your interests and needs, through information about you device to collect and link it to your personal data. This way we ensure that our sites are aligned arewhatinterestingtoyou”.5 65. For unregistered visitors, this involves the processing of a unique user ID or visitor ID that interchangeable with a name. Such an online identifier counts as personal data in the sense of 22 Zieter comparison:Amsterdam Court of Appeal,5 December 2023, ECLI:NL:GHAMS:2023:2971. 23Research report,p.10. 24Research report,p.10. 25Research report, p.11 (and appendix 5, p.9 to the research report). 11/29 Date Unmarked May 2, 2024 z-2021-14274 Article 4, under 1, GDPR. This is because it is possible that the data subject directly or indirectly Identifiable is that this is the case with the unique user ID or visitor ID. 66. In view of the foregoing, the AP concludes that A.S. Watson may collect personal data from visitors to kruidvat.nlprocessed. 5.5 Basis for processing data 67. Now there is a question of processing of personal data, it must then be assessed by A.S. Watson there is a basis for this processing. After all, the processing of personal data is only lawful if there is a basis for this. 27 68. A.S.Watson places cookies on the equipment of visitors ofkruidvat.nl (from now on: the data subject) with the purpose is to process data. A.S. Watson has been used to place cookies consent from the data subject is required. The consent given by the data subject must consist of several free, specific, informed and unambiguous expression of will, in combination with an unambiguous one activeaction. Silence, the use of boxes or checkmarks already checked, or inactivity applies not as permission. 29 69. The investigation report shows that during a visit tokruidvat.nl the equipment of the person concerned cookies are placed before the data subject has given permission for them. This is the point followingcookies: - Firstparty cookie 'peerius_user'; - Firstparty cookie 'unless_visitorId'; - ThirdpartyjavascriptfromUnless;en 30 - Third party tracking beacon from Google Analytics. 70. This fact in itself constitutes a violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph paragraph, under a, GDPR, because without prior consent, thus unlawful, personal data of the data subject are processed. 26 27CJEU19October2016,C-582/14,ECLI:EU:C:2016:779(Breijer),paragraph 42. Article 6, first paragraph, GDPR. 28See article 4, preamble under 11, GDPR. 29Consideration 32 of the GDPR; see also CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801(Planet49), paragraph 61-63. 3 Research report p. 11 and appendix 5 to the research report p. 11 et seq. 12/29 Date Unmarked May 2, 2024 z-2021-14274 71. It also follows from the research report that the websitekruidvat.nl has the checkmark on “agreement” as standard selected, so that the data subject is assumed to agree with it by default 31 placing advertising cookies. Wanted to find out whether the data subject is concerned about “advertising cookies” have been set, the person concerned must take the following steps. 72. In the first step at the bottom of the page, the data subject has the choice of “I agree to the use of cookies” or “want to know more”. 73. Once you click on “want to know more”, the person concerned will arrive at the second step with a subsequent 'pop-up' with the choice of “continue agreeing” or “more information”. 31 Research reportp.12-15. 13/29 Date Unmarked May 2, 2024 z-2021-14274 74. Then, at the third step, the person concerned encounters a successive 'pop-up' containing a vertical slider which is set to “advertising cookies” by default. The data subject has the option on this screen to opt Click on “advanced settings”. 75. When the data subject clicks on this, a 'pop-up' will appear in the fourth step with the option to Allow or refuse functional cookies and advertising cookies. 76. The AP notes that this case concerns pre-checked (advertising) cookies. According to the 32 case law of the Court of Justice of the European Union (CJEU) does not legally valid consent for placing cookies on the data subject's equipment a standard checked check box is used that the data subject must uncheck in case he refuses to give his consent. Now that A.S. Watson has made use of the advance (advertising) cookies that are checked do not imply that they are free, specific, informed persons unequivocal expression of intention by the data subject by means of a statement or a accepts unequivocal action regarding the processing of data. 77. The AP concludes with regard to pre-checked (advertising) cookies that there is a violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, GDPR because A.S.Watson has not received permission as intended for the data subject from the person concerned processing of personal data. It follows that A.S. Watson is unlawful, because it is contrary to the GDPR, has acted. 3CJEU1October2019,C-673/17,ECLI:EU:C:2019:801(Planet49),paragraph 63. 14/29 Date Unmarked May 2, 2024 z-2021-14274 5.6 Duration of the violation 78. As of October 1, 2020, A.S. Watson adjusted its working method with regard to asking permission to the data subject to place (the aforementioned) cookies during a visit kruidvat.nl. This adjustment does not include all other cookies, other than necessary cookies. are checked by default. 79. Furthermore, it follows from the research report that the Third Party Javascript of Unless was published on 11 May 2021 found before the person concerned had given permission. A.S. Watson has explained it has been made plausible that Unless's Thirdparty JavaScript only became active after October 1, 2020 the person involved had given permission for this. It has now been determined in the investigation report that mentioned javascript has been found, without its functionality being apparent, and partly in view of what A.S. Watson has argued in her opinion on this point, the AP concludes that A.S. Watson October 1, 2020 only places cookies after the data subject has given permission. 80. This means, as already considered in paragraph 53, that the violation of Article 6, first paragraph, in connection with article 5, first paragraph, under a, GDPR took place until October 1, 2020. 6. Administrative fine 81. The AP is, on the basis of Article 58, second paragraph, at the beginning and below, in connection with Article 83 GDPR read in conjunction with Article 14, paragraph 3, UAVG, the authority to impose an administrative fine. 82. The case law of the ECJ shows that the wording of Article 83, paragraph 2, GDPR follows that infringements of the provisions of the GDPR that are culpable by the controller manner committed – that is to say, infringements committed intentionally or negligently – could lead to that the controller may impose an administrative fine on the basis of that article 34 be imposed. In this case there is culpable conduct on the part of A.S. Watson for which the AP will impose a fine. 83. It has been concluded above in paragraphs 70 and 77 that A.S. Watson was wrongfully without permission has processed data from the data subject and has therefore processed Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, GDPR has been violated. This violation occurred during the period from April 28, 2020 to October 1, 2020. This means that there is one behavior for which a administrative fine will be imposed. 3Research report p.20 and appendix 11 to the research report. 3CJEU5December2023,C-683/21,ECLI:EU:C:2023:949(NVSC)point73and83;CJEU5December2023,C-807/21,ECLI:EU:C:2023:950 (DeutscheWohnen)point68and76. 15/29 Date Unmarked May 2, 2024 z-2021-14274 6.1 Systematics for determining the amount of the fine 84. When exercising its power to impose an administrative fine, the APobserves both Policy rules of the AP regarding determining the amount of administrative fines (Stcrt.2019, 14586)(hereinafter: Fine policy rules) as the Guidelines 04/2022 for the calculation of administrative fines under the GDPR (hereinafter: Guidelines). In the explanatory notes to the Fine Policy Rules 2019 mention that the EDPB does not yet have common principles for calculating fines was established. This was due to legal equality and legal certainty policy to determine with regard to the power to impose a fine. Because within the EDPB the aim was to arrive at joint principles regarding the fine calculation, this was policy is temporary in nature. On 24 May 2023, the EDPB adopted the Guidelines. This policy is joint principles have been laid down for the situation in which companies violate the GDPR. In the present In this case, the application of the 2019 Fine Policy Rules amounts to the same fine amount as applicationoftheGuidelines. 85. The amount of the fine will be determined as follows: 1. Determining the starting amount of the fine on the basis of the Fine policy rules; 2. Consideration of the circumstances based on the Penalty Policy Rules; 3. Consideration of the circumstances based on the Guidelines; 4. Determining the amount of the fine and assessing effectiveness, proportionality and deterrence. 86. These parts are discussed in turn below. 6.2 Determining the starting amount based on Fine policy rules 87. In this case, the starting point is the applicable bandwidth of the Fine policy rules. The AP shall determine the amount of the fine, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act, take into account the factors mentioned in article 7 of the Fine Policy Rules. These factors are also included Article 83, second paragraph, GDPR appointed in the Guidelines. 88. For a violation of Article 6, first paragraph, GDPR, in conjunction with Article 5, first paragraph, under a, GDPR, the AP may impose an administrative fine up to an amount of € 20,000,000. In the case of a company may be fined up to 4% of the total worldwide annual turnover previous financial year, if this figure is higher. 35 36th Guidelines can be consulted at<edpb_guidelines_042022_calculationofadministrativefines_nl_0.pdf(europa.eu)>. EuropeanDataProtectionBoard, or the European Data Protection Committee referred to in Article 68e of the GDPR. 16/29 Date Unmarked May 2, 2024 z-2021-14274 89. Under the Fine Policy Rules, an infringement is classified into a category according to the violation of the provision, ranging from category I to IV. The following applies: how important the provision is for the protection of data, the higher the category of infringement. The 37 Penalty policies stipulate that violations of Articles 5 and 6 GDPR fall into category III. The bandwidth of this category runs from €300,000 to €750,000. This bandwidth will be starting point for the further calculation of the final fine, after consideration therelevantfactors. 6.3 Assessment of the circumstances based on the Fine Policy Rules 90. When determining the amount of the fine, the relevant circumstances are discussed in this case assessed on the basis of the factors mentioned in Article 7 of the Fine Policy Rules case, the nature and severity, duration of the infringement are taken into account. Other circumstances which are taken into account in each case are the categories of personal data concerned or there is an infringement that is by nature intentional or negligent. i. Nature, severity and duration of the infringement Nature of the infringement 91. With regard to the nature of the infringement, the AP considers that the infringement relates to the principle of legality. This is one of the six basic principles of the GDPR and therefore fundamental requirement for the protection of data. The principle of lawfulness guarantees the control of the data subject over his data. By tacit consent Assuming and making use of pre-filled boxes, A.S. Watson has ignored it principle of lawfulness and the data subject has a say over his data harmed. Moreover, the (European) legislator has emphasized that this method of obtaining consent notinlinewithGDPR. 38 Seriousnessoftheinfringement 92. When determining the seriousness of the infringement, the AP takes into account the extent of the processing, the number of people involved and the damage suffered by them. Furthermore, the AP takes into account how long the infringement has lasted, as well as the type of personal data to which the infringement relates. 37 38ieFine policy rules 2019, appendix 2. Recital 32 in the GDPR. 17/29 Date Unmarked May 2, 2024 z-2021-14274 93. With regard to the extent of the processing, the AP notes that there was no question of extremely large processing, but there was also no small-scale processing The area of application of the processing concerned the whole of the Netherlands. Furthermore, A.S. Watson collected them personal data via the website kruidvat.nl operated by her by means of posting (tracking) cookies. With regard to the purpose of the processing, the AP takes into account the processing of personal data by placing such (tracking) cookies not under any of the main activities ofA.S.Watsonvalt. 94. With regard to the number of people involved, the AP notes that A.S. Watson has stated that she the period between 29 November 2019 and 25 June 2020 has had approximately [CONFIDENTIAL] visitors kruidvat.nl. It is not possible to determine how many of these website visitors are unique visitors.Continue A.S.Watson has substantiated that during the period mentioned, in view of the government's restrictions imposed in connection with the COVID19 pandemic, there has been an increase in the number visitorsopkruidvat.nl.Drogisteriesweredesignatedatthetimeasessentialshopsterwijandere shops had to close their doors. The AP deduces from this that the number of people involved is below would have been (or would have been) lower under normal circumstances. Given this, the AP judges that even in the case under Under normal circumstances the visitor numbers would only be half of [CONFIDENTIAL]. There is still a substantial number of visitors. This is also the case if, such as A.S. Watson itself indicates, only [CONFIDENTIAL] of those visitors make a purchase or only [CONFIDENTIAL]is logged in. In all cases it concerns [CONFIDENTIAL] logged in visitors and [CONFIDENTIAL]visitors who have made a purchase, who have been affected by the conduct of A.S. Watson. 95. With regard to (the extent of) the damage, the AP notes that the person concerned was by A.S.Watson control over his personal data, with which A.S. Watson has committed an infringement on the rights and freedoms of those involved. In this case, it has not been established that those involved and in concrete terms 40 have suffered demonstrable damage. Duration of the infringement 96. As mentioned in paragraph 5.6, the AP found that the infringement occurred by April 28, 2020 to October 1, 2020. The infringement found lasted five months. 97. The AP qualifies the nature of the infringement as serious, due to the violation of two fundamental aspects of the GDPR. On the other hand, the infringement was short-lived and the severity of the infringement must be qualified as low. 39 40 research report p. 19 and appendix 3 to the research report. CJEU 5 March 2024, C-755/21, ECLI:EU:C:2022:202(Kočner v Europol) point 135. 18/29 Date Unmarked May 2, 2024 z-2021-14274 ii. The intentional or negligent nature of the infringement 98. Pursuant to Article 7, opening words and subsection b, Fine Policy Rules, the AP takes into account the intentional or the negligent nature of the infringement by A.S. Watson. The gravity of the infringement is indeed greater weight when the controller has consciously committed an infringement. When the infringement is the result of negligent behavior, then the gravity of the infringement has a smaller weight. 99. In this framework, the AP takes into account that A.S. Watson has a method with the previously checked cookies followed without regard to the requirement that there must be a free, specific, informedan unequivocal expression of will from the data subject by means of a statement or an unequivocal action regarding the processing of personal data accepts. Furthermore, A.S. Watson has only started adapting its working methods, only after she was made aware by the AP in the standard letter of 29 November 2019 that A.S. Watson, with its working method, infringes the GDPR. The AP notes that this adjustment determines could have been more expeditious. iii. The categories of personal data infringed 100. Pursuant to Article 7, paragraph 1, Fine Policy Rules, the AP takes the categories into account personal data involved in the infringement. If data have been processed, those special deserve protection, the AP qualifies the infringement as more serious categories mentioned in articles 9 and 10 of the GDPR. 101.The AP notes that there is no question of processing special data in the sense of Articles 9 and 10 of the GDPR. With regard to the amount of data, the AP notes that A.S. Watson has processed a limited number of personal data. 102.Based on the considerations under i, ii, and iii, the AP assesses the severity of the violation. The The qualifications indicated also determine the amount of the fine within the bandwidth of category III Penalty Policy Rules .Taking into account the foregoing circumstances, the AP is of the opinion that this case the severity of this infringement must be qualified at a low level. iv. Other relevant circumstances applicable to the present case 4See Fine Policy Rules 2019, appendix 2. 19/29 Date Unmarked May 2, 2024 z-2021-14274 103.The AP has established the other circumstances as mentioned in Article 7, underk, Fine policy rules taken into consideration.The long period between providing the research report to A.S. Watson and the adoption of this enforcement decision is the reason for the AP to impose the fine from the perspective of proportionality. 104. Furthermore, it has not become apparent that any remaining circumstances referred to in Article 7 of the Fine Policy Rules mentioned and views regarding the infringement by A.S. Watson have occurred. 6.4 Assessment of the circumstances based on the Guidelines 105.The Guidelines describe a methodology that will be considered successively: 1. What and how many acts and infringements are under assessment; 2. What amount is the starting point for calculating the fine for this; 3. Whether mitigating or aggravating circumstances arise, it is open to adjustment amountexit2; 4. What maximum amounts apply to the violations and any increases from the previous ones stepnotexceedthisamount; 5. Whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and if necessary, adjusted accordingly. 106.The number of actions that resulted in infringements of the GDPR and the starting amount for penalty calculation are already qualified under paragraph 6.2. 107. As well as the Fine Policy Rules, write the Guidelines before the AP considers whether to mitigate or are aggravating circumstances that may lead to an adjustment in the classification of the infringement. This must be done on the basis of the circumstances stated in Article 83, second paragraph, salutationsunderatotenwithk,AVG. 108.First of all, attention must be paid to the gravity of the infringement. Here is an account taken into account the nature, severity and duration of the infringement, as well as the intentional or negligent nature of the infringement infringements and categories of processed data. For this purpose, in section 6.3, are these factors have already been discussed. This has led to the severity of the infringement being classified as low. 109.The Guidelines are written before taking into account the size of the company from the point of view of fairness must be taken into account when calculating the amount of the fine. The size of the company is determined 42 Guidelines,p.17. 20/29 Date Unmarked May 2, 2024 z-2021-14274 based on the turnover. According to the case law of the Court of Justice, the turnover of the entire group must are used to determine the upper limit of the fine. A.S. Watson is a full one subsidiary ofA.S.WatsonEuropeHoldingB.V.which in turn is a complete is a subsidiary of CKHutchisonHoldingsLimited. Therefore, the size of the company are determined on the basis of the worldwide turnover of CKHutchisonHoldingsLimited. The turnover 44 from CKHutchisonHoldingsLimited amounted to €53.5 billion in 2022. The AVG writes a maximum fine of 4% of the total worldwide annual turnover for. In this case it is legal maximum fine of €2.14 billion. 110. Then write the Guidelines for the other circumstances from Article 83, second paragraph, GDPR are taken into account. As already mentioned, the circumstances that are taken into account are stated in that provision (parts, atoms and with k). As other circumstances, the AP has taken into account the long period of time between publishing it investigation reports the issuance of an enforcement decision. This part is noted as mitigation with regard to the amount of the fine. 6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence 111. In this case, the amount of the fine will, however, be determined by applying the basic fine from the concerning category of the Fine policy rules. The amount of the fine will be determined in this specific case both the Penalty Policy Rules and the Guidelines lead to the same outcome. 112. In this case, it concerns an infringement for which category III of the Fine policy rules apply. The fine range for category III ranges from €300,000 to €750,000. 113. In view of all the aforementioned circumstances, the AP will be fined €600,000 due to the placing cookies without prior legally valid consent from the data subject (Article 6, first paragraph, read in conjunction with Article 5, first paragraph, under a, GDPR). The AP finds this fine appropriate commandments. 114. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. From Article 49, third paragraph, of the Charter of Fundamental Rights of the EU and articles 3:4 and 5:46, second paragraph, General Administrative Law Act It follows that, given the circumstances of the case, the administrative fine does not lead to a disproportionate penalty outcome. 4GroupeGascogneSA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, §52-57. 4A calculation based on CKHutchisonHoldingsLimited's global turnover of HK$457 billion, as parent company of A.S. Watson. See 2022AnnualResults, p.24. 4See Article 83, fifth paragraph, GDPR. 21/29 Date Unmarked May 2, 2024 z-2021-14274 115. An administrative fine is effective when the purpose for which it was imposed is achieved. The purpose may be to punish unlawful conduct, as well as to promote compliance applicable regulations. Given the considerations regarding the nature, severity and duration of the infringement, as well as the aggravating and mitigating circumstances of Article 83, second paragraph, GDPR is the AP of judges that the present administrative fine achieves both objectives and is therefore effective. 116. The AP considers the fine proportionate, taking into account the seriousness of the violation. Now violation of a of the basic principles of the GDPR has taken place, the AP considers an administrative fine advisable. Partly in view of the previously mentioned turnover of €53.5 billion of the group to which A.S. Watson belongs, the AP concludes that no such special circumstances have occurred that the administrative fine on A.S. Watson would be disproportionate. 117.Finally, the fine imposed must be a deterrent. This means that A.S.Watson will be in the future prevented from an infringement of the GDPR. The AP is of the opinion that the prescribed fine is a has a deterrent effect. 7. Conclusion 118.TheAPlegatestoA.S.WatsonHealth&BeautyContinentalEuropeB.V.for violation of Article 6, first paragraph, read in conjunction with article 5, first paragraph, under a, GTC No administrative fines 46 amount of €600,000. Yours faithfully, Dutch Data Protection Authority, mr.A.Wolfsen Chair Remedies clause If you do not agree with this decision, you can do so within six weeks after the date of dispatch of the letter decides to submit an objection digitally or on paper to the Dutch Data Protection Authority. Article 38 of the UGDPR suspends the submission of an objection to the effect of the decision 4The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 22/29Date Unattribute May 2, 2024 z-2021-14274 imposition of the administrative fine. The AP will only proceed to recovery after the decision has become irrevocable. To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Object against a decision, at the bottom of the page under the heading Contact the Dutch Data Protection Authority. The address for submitting on paper is: Dutch Data Protection Authority, PO Box93374, 2509AJTheHague. Please state 'Awb objection' on the envelope and put 'objection notice' in the title of your letter. Write in your objection letter at least: -your name and address; -the date of your objection; - attach the reference (case number) mentioned in this letter; or a copy of this decision; -the reason(s) why you do not agree with this decision; -your signature. Attachment 1 23/29Date Unattribute May 2, 2024 z-2021-14274 General Data Protection Regulation Article4 Definitions For the application of this Regulation the following definitions apply: 1) 'personal data' means any information relating to an identified or identifiable natural data person ("the data subject"); is considered identifiable as a natural person who is directly or can be identified indirectly, in particular by means of an identifier such as a name, a identification number, location data, an online identifier or one or more elements that characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; 2) processing”: an operation or set of operations performed on personal data or a set of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or changing, querying, consulting, use, provide by transmission, distribute or otherwise make available set, align or combine, shield, erase or destroy data; […] 7) controller” means a natural or legal person, a government agency, service or other body that, alone or together with others, serves the purpose of determines the means for processing data; when the objectives of the the means for this processing may be laid down in Union or Member State law it is determined who the controller is or according to what criteria he is appointed; […] 11) consent” of the data subject: any free, specific, informed and unambiguous expression of will expressed by the data subject by means of a statement or an unambiguous statement accepts action regarding the processing of data; Article5 1. Personal data must: 24/29Date Unattribute May 2, 2024 z-2021-14274 a) processed in a manner that is lawful, proper and transparent with regard to the data subject (legality, propriety and transparency); […] Article6 1. The processing is only lawful if and to the extent that at least one of the following applies conditions are met: a)the data subject has given consent to the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of an agreement to which the data subject is a party, or to take measures at the request of the data subject before concluding an agreement; c)the processing is necessary for compliance with a legal obligation imposed on the controller rest; d) the processing is necessary for the purposes of the vital interests of the data subject or of another natural person protect persons; e) the processing is necessary for the performance of a task of general interest or of a task in the in the context of the exercise of public authority, the data controller is required to do so; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or of a third party, except where the interests or fundamental rights and fundamental freedoms of the data subject that require the protection of personal data are more stringent weigh these interests, especially when the person involved is a child. Point (f) of the first paragraph shall not apply to processing by public authorities in the context of performance of their duties. 2. Member States may maintain or introduce more specific provisions to adapt the manner to which the rules of this Regulation regarding processing for the purpose of compliance with paragraph 1(c) (e) shall be applied; to this end they can provide a further description of specific ones regulations for processing and other measures to ensure lawful and proper processing guarantees, also for other specific processing situations as referred to in Chapter IX. […] Article58 Powers 25/29Date Unattribute May 2, 2024 z-2021-14274 […] 2.Each supervisory authority shall have all the following powers to take corrective action measures: […] (i) as appropriate to the circumstances of each case, in addition to or instead of that referred to in this paragraph measures, imposing an administrative fine on the basis of Article 83; […] Article83 General terms and conditions for imposing administrative fines 1. Each supervisory authority shall ensure that any administrative penalties imposed pursuant to this article are imposed for the end of paragraphs 4, 5 and 6, infringements of this regulation are mentioned in each case be effective, proportionately deterrent. 2. Administrative fines are imposed, depending on the circumstances of the specific case in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). it decides on whether an administrative fine will be imposed and on its amount the following shall be duly taken into account for each concrete case: (a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the processing in question as well as the number of data subjects affected and the extent of the processing by them damages suffered; b) the intentional or negligent nature of the infringement; c) the measures taken by the controller or processor to limit damage suffered by those involved; d) the extent to which the controller or processor responsible is seen technical and organizational measures he has implemented in accordance with Articles 25 and 32; e) previous relevant infringements by the controller or processor; (f) the extent to which it cooperated with the supervisory authority to commit the infringement to remedy and limit possible negative consequences; g) the categories of personal data to which the infringement relates; h) the manner in which the supervisory authority became aware of the infringement, in particular whether, and if so to what extent, the controller or processor has reported the infringement; 26/29Date Unattribute May 2, 2024 z-2021-14274 (i) compliance with the measures referred to in Article 58(2), to the extent that they previously concern of the controller or processor in question in relation to the same matter have been taken; j) adherence to approved codes of conduct in accordance with Article 40 or of approved ones certification mechanism in accordance with Article 42; and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made, or losses avoided, whether or not directly resulting from the infringement ensue. 3.If a controller or a processor intentionally or negligently with regard to to the same or related processing activities, an infringement commits more than one provisions of this regulation, the total fine is not higher than that for the serious infringement. 4. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2 fines up to EUR 10 000 000 or, for an undertaking, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher: a) the obligations of the controller and the processor in accordance with this Articles 8, 11, 25 to 39, 42 and 43; (b) the obligations of the certification body under Articles 42 and 43; (c) the obligations of supervision in accordance with Article 41(4). 5. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2 fines up to EUR 20 000 000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher: a) the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; (b) the rights of the data subject in accordance with Articles 12 to 22; c) the transfer of personal data to a recipient in a third country or an international country organization in accordance with articles 44 to 49; (d) all obligations under law established by the Member States under Chapter IX; e) non-compliance with an order or a temporary or permanent processing restriction or suspension of data flows by the supervisory authority in accordance with Article 58(2) or failure to grant access in violation of Article 58(1). 6. Non-compliance with an order of the supervisory authority referred to in Article 58(2) is in accordance with paragraph 2 of this article, subject to administrative fines of up to EUR 20 000 000 or, 27/29Date Unattribute May 2, 2024 z-2021-14274 for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this grade higher. 7. Without prejudice to the powers to take corrective measures of the supervisory authority authority, in accordance with Article 58(2), each Member State may lay down rules concerning the question whether and to what extent administrative fines can be imposed on persons established in that Member State government agencies and government bodies. 8. The exercise by the supervisory authority of its powers under this Article is subject to the appropriate procedural guarantee in accordance with Union law and Member State law law, including an effective remedy and a fair administration of justice. 9. Where the legal system of the Member State does not provide for administrative fines, this Article may are applied in such a way that fines are initiated by the competent supervisory authority and imposed by the competent national courts, ensuring that these remedies are available are effective and have the same effect as those imposed by supervisory authorities administrative fines. The fines are effective, proportionate and deterrent in every case Member States shall communicate to the Commission by 25 May 2018 at the latest the legislative provisions it adopts on the basis of adopt this paragraph, as well as all subsequent amendments thereto and all matters affecting it amending legislation. Implementation Act of the General Data Protection Regulation Article14 DutiesandauthoritiesAP […] 3. The Data Protection Authority may, in the event of a violation of the provisions of Article 83, fourth, fifth or sixth paragraph of the regulation imposes an administrative fine on at most these members mentioned amounts. General Administrative Law Act Article3:2 When preparing a decision, the administrative body gathers the necessary knowledge about the relevant issues factsandweighinginterests. Article3:4 28/29Date Unattribute May 2, 2024 z-2021-14274 1. The administrative body shall weigh the interests directly involved in the decision, insofar as not stated a limitation arises from a legal requirement or from the nature of the authority to be exercised. 2. The adverse consequences of a decision for one or more interested parties may not be disproportionate relationship to the goals to be served by the decision. Article4:8 1. Before an administrative body issues a decision against which an interested party takes the decision has not requested it is expected that he will have reservations, it puts the interested party to an end opportunity to submit his views if: (a) the decision would be based on information about facts and interests concerning the interested party, and b) that data has not been provided by the interested party itself. 2.The first paragraph does not apply if the interested party has not fulfilled a legal obligation to provide data. Article 5:46 1. The law determines the maximum administrative fine that can be imposed for a specific violation imposed. 2. Unless the amount of the administrative fine has been determined by statutory regulation, it votes administrative body administrative fine depending on the seriousness of the violation and the extent to which it occurred offender can be blamed. The administrative body will take this into account if necessary circumstances under which the violation was committed. 3. If the amount of the administrative fine has been determined by statutory regulation, it shall be imposed administrative body shall nevertheless impose a lower administrative fine if the offender can demonstrate that this is the case established administrative fine due to special circumstances is too high. 4. Article 1, second paragraph, of the Criminal Code applies accordingly. 29/29