AP (The Netherlands) - z-2021-14274

From GDPRhub
Revision as of 11:05, 23 July 2024 by Mba (talk | contribs) (→‎Facts)
AP - z-2021-14274
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.05.2024
Published: 16.07.2024
Fine: 600,000 EUR
Parties: AS Watson (Health & Beauty Continental Europe) B.V.
National Case Number/Name: z-2021-14274
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: ec

The DPA fined the controller of Kruidvat.nl €600,000 for placing tracking cookies before obtaining consent. The DPA also found that a pre-ticked box for accepting tracking cookies does not constitute freely given, specific, informed and unambiguous consent.

English Summary

Facts

The controller AS Watson (Health & Beauty Continental Europe) B.V. is a financial holding company that manages and operates several wholesale and retail businesses. One of them is Kruidvat, a Dutch retail, pharmacy and drugstore chain.

In 2019, the Dutch DPA (“Autoriteit Persoonsgegevens”) started an investigation into different websites, including Kruidvat.nl, to review whether the websites complied with the GDPR when placing (tracking) cookies. On first glance, the DPA found that the website did not seem to comply with the requirements of obtaining consent under the GDPR. Therefore, the DPA send a letter to the controller on 29 November 2019, which stated that the controller presumably did not comply with the law on obtaining consent for tracking cookies. The DPA encouraged the controller in the letter to change its practices for obtaining consent for tracking cookies.

After multiple reviews, the DPA found that the controller still did not change its practices on 16 June 2020. The DPA therefore decided to launch an ex officio investigation into the controller.

In their investigation, the DPA found that the controller placed tracking cookies before obtaining consent from users via a cookie banner. The DPA also found that “accept all cookies” on the controller’s cookie banner was selected by default. Only after clicking through four different steps, was the user able to reject cookies.

The controller argued that the investigation by the DPA was unlawful, because the cookies they use on their website are not public data and the DPA entered the controller's virtual premises without the controller's consent or knowledge. The DPA also had no legal basis for starting an investigation.

Holding

First, the DPA dismissed the controller’s argument and held that the controller’s website is a publicly accessible website, which cannot be equated with entering a business premise. The DPA also has the authority under the GDPR and the Dutch GDPR implementation law ("Uitvoeringswet Algemene verordening gegevensbescherming"), to investigate and proceed with enforcement if there has been a breach of the GDPR.

Secondly, the DPA found that the controller unlawfully processed personal data of users by placing tracking cookies before obtaining consent, violating Article 6(1) GDPR and Article 5(1)(a) GDPR.

Thirdly, on rejecting cookies via the controller's cookie banner, the DPA took into account the CJEU judgement in case C-673/17 Planet49. According to the CJEU, there is no legally valid consent if the placing of cookies on the data subject’s devises uses a default tick box, which the data subject must uncheck to refuse consent. The DPA therefore held that by using pre-ticked (tracking) cookies, the controller did not obtain freely given, specific, informed and unambiguous consent under Article 4(11) GDPR. The controller thus violated Article 6(1) GDPR and Article 5(1)(a) GDPR for unlawfully processing personal data by not obtaining consent.

The DPA took into account the duration of the violations and noted that the controller changed its practices since 1 October 2020. Now, consenting to cookies is not automatically ticked on anymore. It also does not place cookies anymore before obtaining consent.

The DPA therefore fined the controller €600,000 for violating Article 6(1) GDPR and Article 5(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Dutch Data Protection Authority
                                                        PO Box93374,2509AJ The Hague

                                                        HogeNieuwstraat8,2514EL The Hague
                                                        T0708888500-F088-0712140
Confidential/Registeredautoriteitpersoonsgegevens.nl

A.S.WatsonHealth&BeautyContinentalEuropeB.V.
Attn: the management
PO Box34
3927ZLRenswoude







Date Unmarked
May 2, 2024 z-2021-14274


                          Contact
                          [CONFIDENTIAL]

                          [CONFIDENTIAL]

Subject

Decides to impose an administrative fine for violating the General Regulation
data protection



Dear members of the management,

The Dutch Data Protection Authority (hereinafter: AP) has decided to A.S.WatsonHealth&Beauty

ContinentalEuropeB.V. (hereinafter: A.S.Watson) to impose an administrative fine of €600,000 for the
violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, of the General
Data Protection Regulation (hereinafter: GDPR). The reason for this is that A.S. Watson is not lawful

has a basis for processing data because it has failed to consent
questions to data subjects for the processing of their data through (tracking)
cookieswhenvisitingthewebsitekruidvat.nl.


The AP is of the opinion that imposing an administrative fine on A.S. Watson is not only appropriate
but also necessary. A.S. Watson has violated the rights and freedoms of citizens by

to process their data in an unlawful manner. The AP believes this is serious and is going to do so for that reason
aboutenforcementagainstA.S.Watson.


This decision explains the administrative fine. This will be discussed in turn
reason for the investigation, the findings of the investigation report, the process, the opinion
by A.S. Watson, the violation and the amount of the fine. Finally, the dictum follows.








                                                                                             1 Date Unmarked
      May 2, 2024 z-2021-14274



1. Background investigation


  1. A.S. Watson is a company established in Renswoude and active as a financial holding company that offers various

      wholesale-retailcompaniesmanagedandexploited.Kruidvatiseen
      subsidiary within the A.S. Watson group.


  2. TheFirst-lineResearchdepartmentofthemanagementCustomer ContactsandControllingResearchoftheAP
      In October and November 2019, we started an investigation into various websites, including
      kruidvat.nl, to test whether those websites meet the requirements for placing (tracking)

      cookies are set. It is also checked whether consent from those involved has been requested
      for processing data by means of (tracking) cookies, as well as the manner in which
      the giving of this permission had been designed.


  3. On 29 November 2019, the AP sent a standard-transmitting letter to A.S. Watson in which
      indicated that the applicable legal framework was probably not complied with. The AP has met

      the aforementioned letter to A.S. Watson encouraged the method regarding the consent procedure
      (tracking) cookies against the light.


  4. The AP conducted technical research on April 28, 2020, May 7, 2020 and June 16, 2020 and found that
      A.S.Watsonhadnotadjustedthemethod.


  5. The AP subsequently initiated an ex-officio investigation into a possible violation of the GDPR
      byA.S.Watson.


2. Findings research reports process flow


  6. The findings of the investigation have been recorded in a report. This paragraph summarizes the most important ones

      findings from this together.

  7. A.S.Watson has its head office in the Netherlands.







      Research report, appendix 8: extract from Chamber of Commerce.
      2 File document 1: research report with appendices.





                                                                                             2/29 Date Unmarked
    May 2, 2024 z-2021-14274



8. A.S.Watsonis responsible for the processing of the GDPR ofkruidvat.nl because it
                                                                                3
    goalsthemeansdeterminesthemethodofquestionsoftoestemmingvankruidvat.nl.

9. The privacy statement ofkruidvat.nl states that advertising cookies and tracking are included in a visit tokruidvat.nl
                                       4
    cookies are placed and read. The types of personal data are hereby described
    basis of processing, the types of cookies as well as the retention period are described. There is also

    information is given about sharing the collected information with third parties. Finally, the visitor becomes
    from that website you are informed about the possibility of creating an account and it is
    visitor is informed about the data required, such as the name and address details, the date of birth,

    the gender and email address.


10. TheFirst-lineResearchdepartmentofthemanagementCustomercontactsandControllingResearchoftheAP
    carried out technical research on the websitekruidvat.nl on 28 April 2020 and determined which one

    cookies, javascripts and web beacons (hereinafter collectively referred to as: ''cookies'') are
    placed/loaded athet Visitenvankruidvat.nl. Because the visitor has a consent procedure
    must go through to share certain data (cookie window), the AP has looked at both

    consent procedure itself and the placement of cookies both before and after going through the
    consent procedure.


11. It turned out that cookies were used both before and after completing the consent procedure
    placed.A.S.Watson has been asked about five cookies by the AP, in particular about the type

    data processing per cookie, whether or not to assign a unique identifier to (the device
    of) the visitor, the purpose of cookies and finally any processing by and

    processing agreements with third parties.

12. In response to that request, A.S. Watson provided information to the AP about the five on 21 July 2020

    requested cookies. Partly due to the response that A.S. Watson has given in the
    research report established the following.


13.Thefirst-partyerius_usercookieandfirst_partyunless_visitorIDcookieassignauniqueuserID
    to the website visitor, with goal personalization and keeping track of (future) repeating

    visits.


14. The first-partyerius_sess cookie collects information about the specific visit (session) of a
    visitor device at a certain time. It then depends on which pages are visited, which ones
    products are added to the shopping cart and which ones are purchased, based on which recommendations

    is clicked, the email address, user ID, IP address and user agent. The purpose of this cookie is to

    3
    4Research report, appendix 3: letter from A.S. Watson dated 21 July 2020.
     Consulted by the AP on September 23, 2020 at 2:07 PM.



                                                                                              3/29 Date Unattribute
    May 2, 2024 z-2021-14274



    to offer this information about the visit a better user experience to the website visitor behind it

    theuniqueuserID.

15. The first-party cookies also have a certain function determined by technical research

    validity period:
            a. peerius_user: until14January204011:39:10am(approx.19yearsand9months)

            b. unless_visitorID: untilApril 28, 2021 11:39:10 am (approx. 1 year)
            c. peerius_sess: until28april202015:39:10 (approx. a few hours)


16. The third-partyunlessjavascriptcollectsanalyticaldataperpagevisitbasedon
    aggregated/aggregated behavioral scores, theURLand so-calledcustomevents.TheIPaddressand

    user agent is also processed and sent. The IP address is not stored, but used to
    determine the location of the browser session. All this data is sent by A.S. Watson to a

    third party that processes this data. The purpose of this processing is personalization and the
    optimizing the user experience. With this third party, A.S. Watson has
    processing agreement concluded.


17. The third-party Google Analytics tracking beacon collects data for the purpose of obtaining

    statistical insights into the use ofkruidvat.nl. This data is sent to a
    third party (Google) with which a processing agreement has been concluded.


18. Finally, each of the above cookies has been determined to have been placed before the visitor
    kruidvat.nl had given permission. On May 11, 2021, it was once again determined that the third party was unless

    JavaScript was executed before permission was given.

19. The way in which A.S. Watson asks the visitor of the websitekruidvat.nl for permission
                                                  6
    Placing cookies consists of a number of steps. In the first step, two options are displayed: “I
    agree to the use of cookies” and “Would you like to know more?”


20. In the second step (after clicking on 'Want to know more?') the choice is given between 'Agree
    continue''and''More information''.


21. In the next step (after clicking on ''More information''), a slider becomes visible with the options ''Functional

    Cookies'', ''Required Cookies'' and ''Advertising Cookies''. A.S. Watson has ensured that the slider




    5
     'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see
    6research report,p.28.
     Research report, appendix 5: technical research28 April 2020.



                                                                                               4/29 Date Unmarked

    May 2, 2024 z-2021-14274



    default was set to the option “AdvertisingCookies”. The three other options were “Cancel”, “Send
    Preferences” and “Advanced Settings”.


22. In the fourth step (after clicking on “Advanced Settings”), separate permission can be given
    for Functional Cookies and Advertising Cookies by clicking ''allow''. There are also two options:

    “Cancel” and “SendPreferences”.


23. In step five (after clicking on “Send Preferences”), the website visitor is informed about
    the fact that the settings have been sent and that the consent procedure is over.


24. The investigation report established that A.S. Watson set permission as the default as the entire
                                                                                            7
    procedure will continue as long as no settings are actively changed by the visitor.

25. At the time of the investigation, the Primary Research Department of the management had customer contacts

    Verifying investigation by the AP on September 4, 2020 determined that asking permission for
    the placing of cookies had been changed, but that on the same date the ''Advertising cookies'' was still standard

    were checked. The AP pointed this out to A.S. Watson on 24 September 2020 and to additional
    questions were asked to A.S. Watson. On October 5, 2020, the AP determined that the consent procedure

    was adjusted and that there was no longer any question of pre-filled boxes/pre-filled consent.
    This change is the result of, according to A.S. Watson, the implementation of eLab2.0, in which a

    future-proof cookie policy is used by means of a technical improvement of the
    codebasevandewebsitekruidvat.nl.


26. When asked, A.S.Watson indicated that the number of visitors tokruidvat.nl during the period
    from November 29, 2019 to June 25, 2020 was on [CONFIDENTIAL].It is for A.S. Watson

    unknown how many unique visitors it concerns because of the possibility that the same user
    different devices used.


27. The above is done by the department of primary research of management, customer contacts and control
    Research from the AP was submitted in a report, which report was signed on 1 July 2021

    A.S.Watsonissent. 9








    7Research report, appendix 5: technical research28 April 2020.
    8Research report, appendix 3: letter from A.S. Watson dated 21 July 2020.
    9 File document 1: research report with appendices.





                                                                                               5/29 Date Unattribute
      May 2, 2024 z-2021-14274


  28. By letter of 19 August 2021, the Enforcement department of the Legal Affairs Directorate

      Legislative advice from the AP expresses its intention to move to enforcement. A.S. Watson is included
      given the opportunity to express her views on the investigation report.  10

                                                                                    11
  29. A.S. Watson gave her written opinion on the report on 31 October 2021.

  30. By letter dated 14 January 2022, the Enforcement Department of the AP requested additional

      information requested, to which A.S. Watson responded on January 31, 2022.

  31. Due to limited capacity at the AP, this procedure was subsequently halted. On October 11, 2023

      hasA.S. Watson explained her views orally.


3. Legal framework


  32. For a better readability of this decision, the relevant legal framework is included in the appendix.

      legal framework is part of this decision.


4. ViewA.S.Watson


  33. A.S. Watson has – in short – given the following view on the report.


  34. The AP's investigation is unlawful, because the cookies and similar techniques are on the website
      kruidvat.nl may not be regarded as public data in the AP without prior notice
      with the permission or knowledge of A.S. Watson to enter her virtual courtyard. In addition, the AP

      used a 'tool' that is not user-friendly. That is why the AP was forced to
      to make the results transparent via expensive software that is not available to everyone
      stands.


  35. In addition, there is no legal basis for the investigation that the AP conducted.


  36. A.S. Watson cannot deduce from the conclusion in the investigation report which accusation she is facing
      must defend herself. This has damaged her rights of defence. This is stated in the investigation report
      it is not clear whether A.S. Watson has committed one or more violations, which violation in which

      period was committed and what the duration of the offense was.



      1 File document 2: Letter of intention to enforce dated 19 August 2021.
      1 File document 3: Written opinion of A.S. Watson from 31 October 2021.



                                                                                                6/29 Date Unmarked
    May 2, 2024 z-2021-14274


37. The AP has not investigated how many users actually register and whether the collected

    information can be linked to the registration data of users. Nor has the AP investigated
    for which the cookies in question were used. The AP is therefore in conflict with it
    principle of care has been taken.


38. The research report did not determine which cookies were placed at the time the option was selected
    “advertising cookies” was accepted.


39. A.S.Watson did not have the actual or legal options to use cookies
    identify natural persons.


40. The use of the concept of “personal data” from the Telecommunications Act (Tw) de facto constitutes a
    unauthorized extension of that concept as included in the AVG.


41. A.S. Watson has not followed visitors to its website on other websites.


42. The number of visitors to the websitekruidvat.nl cannot serve as a basis for determining the size
    and scope of a possible violation.


43. Withtheacceptdealcheckboxes,visitorsofKruidvat.nlexclude
    permission has been given for the placement of cookies and similar techniques and therefore no
    there is an ambiguous given consent.


44. A.S.Watson has not used the tracking functionalities of 'Unless' and 'Peerius' in the
    period between 1 October 2020 and 11 May 2021 without prior permission from visitors.


45. A.S. Watson had no prior use of Google Analytics in the period from 1 October 2020
    permission from visitors is required because from that date Google Analytics will only be used for

    measuring the qualities and effectiveness of the website.

46. Insofar as there was a violation, the duration was limited to the period between April 28

    2020 and 1 October 2020. If there is a violation, then a reprimand would be more
    proportionate to the standard violated, which can be regarded as a minor infringement.












                                                                                            7/29 Date Unattribute
      May 2, 2024 z-2021-14274




 5. Assessment


5.1 Controller and authorityAP


   47. It is established and not in dispute that A.S. Watson is the controller (Article 4, opening words under

      7,GDPR).


   48. The protection of natural persons in the processing of data is a fundamental right that 12
      the AP must monitor as the competent supervisory authority. To comply with this, the GDPR is used
                                                                                           14
      the AP has been assigned, among other things, the task of enforcing and monitoring the application of the GDPR. For this
      To be able to carry out its task, the AP has investigative powers, such as carrying out checks and
                             15
      requisitioninginformation. These investigative powers are used by the inspectors employed by the company
      APemployment. In the context of an investigation into A.S. Watson, the inspectors of the APde

      websitekruidvat.nlvisitedwiththeuseoftoolstoconducttechnicalresearch
      results of this are written down in a report of official action.


   49. Thewebsitekruidvat.nl is an accessible website for everyone. That is also exactly the purpose of that

      website. After all, A.S. Watson uses kruidvat.nl to sell products to consumers online.
      The public accessibility of this website is (therefore) essential for A.S. Watson. Other than that

      ASH. Watson states that the websitekruidvat.nl is therefore not equated with a property (or a private domain).
      Conducting research on a publicly accessible website such as kruidvat.nl is possible

      in the opinion of the AP, it cannot be equated with entering an office building, a (secondary) branch
      or another business premises. There is therefore no interference with private life, as A.S. Watson argues.
                  17
      no way.


   50. The AP is authorized under the GDPR to investigate the processing of
      personal data and, where appropriate, the AP can proceed with enforcement when this is the case

      infringement of the GDPR. in the Implementation Act of the GDPR in Chapter 5 of the General Act
      administrative law, these powers are further specified. These powers also extend to
      entering office buildings, (subsidiary) branches and business premises. A.S. Watson's point of view

      therefore hits no target.





      12Consideration 1 of the GDPR article 1GDPR.
      13Article 55, first paragraph,GDPR.
      14Article 57, first paragraph, suba, GDPR.
      15Article 58, first paragraph,GDPR.
      16Article 15, first paragraph, UAVG.
      17Article 8Convention for the Protection of Human RightsFundamental Freedoms(ECHR).




                                                                                                 8/29 Date Unattribute
      May 2, 2024 z-2021-14274



5.2 Gathering legality evidence

   51. Researchers of the AP are on the basis of article 58 of the GDPR, title 5.2 of the General Act

      administrative law (Awb) is authorized to conduct investigations. In accordance with Article 5:18 of the Awb, they are authorized
      matters to investigate. In this study, researchers from the AP have the freedom for everyone
      accessiblewebsitekruidvat.nlvisitedtodotechnicalresearch intotheoperationonthatwebsite

      of cookies. Such research falls under the authority referred to in Article 5:18 of the General Administrative Law Act.
      circumstance where a computer program has been used to produce only the results of the
      Making research transparent does not mean that the evidence gathering is unlawful. From unlawful

      there is therefore no evidence gathering.

5.3 Principle of due care


   52.A.S.Watson's argument that they were wrongly not given the opportunity to respond to

      the technical investigation of May 11, 2021 and that therefore the AP has acted contrary to it
      principle of care, fails. And because of the following.


   53. The research report shows that technical research has taken place into the cookies on the
      websitekruidvat.non 28 April 2020, on 7 May 2020 and on 17 June 2020. The researchers of the AP have
      Following this research, A.S. Watson was asked, among other things, by letter dated 26 June 2020

      to provide information about the cookies that the AP researchers use during that investigation
      encountered. A.S. Watson responded to this on July 21, 2020, after which the researchers
      September 24, 2020 have asked additional questions. A.S. Watson has also asked these questions

      responded, on October 5, 2020. Followed up with another technical investigation on May 11, 2021
      carried out, but A.S. Watson was not given the opportunity to respond. Well-being
      research reports and the underlying documents provided to A.S. Watson on 1 July 2021.

      has taken advantage of the opportunity given to her to express her views on this matter.

   54. The results of the technical research, also taken into account by A.S. Watson

      The views put forward do not, in the opinion of the AP, provide sufficient support for the conclusion that
      addthevisitorsofkruidvat.nlintheperiodbetweenOctober11,2020untilMay11,2021cookieswerden
      placed with the aim of processing data before visitors consent

      had given. This means that there has been no violation of Article 6, first paragraph, of
      the GDPR in the period between October 1, 2020 and May 11, 2021.


   55. In the opinion of the AP, there is no question of acting contrary to the principle of due care.
      On the contrary, A.S. Watson has not only been given the opportunity to do so at various times
      questions to answer based on findings by the researchers of the AP, A.S. Watson





                                                                                             9/29 Date Unattribute
       May 2, 2024 z-2021-14274



       has also submitted an opinion. This opinion partly formed the basis for the conclusion
       of the AP that there is no violation in the period between 1 October 2020 and 11 May 2021.


   56. In view of the foregoing, the AP concludes that there is no conflict with it

       principle of care.


5.4 Processing of personal data


   57. This paragraph explains why the AP, unlike A.S. Watson argues, is of the opinion that
       A.S.Watsonopkruidvat.nl has processed personal data by placing cookies.


   58. Visitors to the websitekruidvat.nl have the option to register
                                                                            18
       address, e-mail address, gender, first name and date of birth are registered. According toA.S.Watsonis
       approximately [CONFIDENTIAL] of the visitors ofkruidvat.nl registered. This means that A.S. Watson

       of the registered visitors, the aforementioned data is processed before the visitors communicate about it
       have given permission.


   59. In addition, it follows from consideration 30 of the GDPR that natural persons can be linked to
       online identifiers through their equipment, applications, instruments and protocols, such as

       internet protocol (IP) addresses, identification cookies, or other identifiers such as radio frequency
       identification tags. This can leave traces, especially when they are with unique identifiers

       otherinformationreceivedbytheserverscanbecombinedandusedto
       to set up profiles of natural persons and to recognize natural persons.


   60. A.S.Watson assigns a unique user ID (or visitor ID) to each visitor using cookies, such as

       highlighted in margin numbers 13 to 17 of this decision.


   61. The unique user ID that is the first party cookie 'peerius_user' and the unique visitor ID that is the first party cookie
       Link 'unless_visitorId' to a visitor, with the aim of tracking returning visitors. This
       means that a visitor who has previously visitedkruidvat.nl can be identified with a unique one

       user-IDofvisitor-IDandtheIP-address.


   62. AlsousesA.S.WatsonUnlessons'thirdpartyjavascriptandthirdpartytrackingbeacon
       GoogleAnalytics.Collects data to serveUnless andGoogleAnalytics21



       1Research report, p.11 (and appendix 9 to the research report).
       1Speaking notes and opinion session11 October 2023, margin number 3.7.
       2'aggregatedbehavorialscores,URL,customevents,IPanduser-agent',see research report,p.27.
       2'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see
       research report,p.28.




                                                                                                 10/29 Date Unmarked
    May 2, 2024 z-2021-14274



    sent with the aim of creating a personalized experience based on the unique user ID or

    visitor ID.UnlessonsGoogleAnalyticscanthusbebasedonthiscollecteddataand
    data they have available to provide a personalized experience back to the website
    kruidvat.nl.


63. This personalized experience together with the unique user ID or visitor ID makes that of the visitors

    vankruidvat.nl profiles are made. In addition, A.S. Watson can also create interest profiles for himself
    set up personalization purposes by processing data including the navigation behavior on the

    web pages (pages viewed) and products added to the shopping cart and purchased
    products, geolocation and IP address. Kruidvat.nl offers a very wide variety of products.

    It can concern health products, care products, household products, but also
    electronics, toys and baby products. In particular, viewing them in context with the shopping cart

    added products, purchased products and geolocation (via IP address) linked to unique user ID
    orvisitor-ID can sketch a very specific and invasive profile of the visitors ofkruidvat.nl.            22


64. In this context, the AP notes that A.S. Watson itself indicates in its privacy policy that it

    personal data of visitors is processed. Visitors are explicitly mentioned in the privacy policy
    informed about the processing of their data. Examples are:


          “In this privacy policy we explain what types of data we collect[…]”; 23


          “What data may we collect?

         Information about the type of browser you use when visiting our Sites, your IP address and device address,
         hyperlinks you clicked, the previous website you visited before coming to our Sitesinformation

         collected by cookies or similar tracking systems. Your username, profile photo, gender, networks and all
         other information you want to share when you use third-party sites (such as when you like "Like"
                                           24
         functionalityonFacebookused)”; and

          “We can also tailor our Sites and our products to your interests and needs, through information about you

         device to collect and link it to your personal data. This way we ensure that our sites are aligned
         arewhatinterestingtoyou”.5


65. For unregistered visitors, this involves the processing of a unique user ID or visitor ID that

    interchangeable with a name. Such an online identifier counts as personal data in the sense of


    22
      Zieter comparison:Amsterdam Court of Appeal,5 December 2023, ECLI:NL:GHAMS:2023:2971.
    23Research report,p.10.
    24Research report,p.10.
    25Research report, p.11 (and appendix 5, p.9 to the research report).





                                                                                                         11/29 Date Unmarked
       May 2, 2024 z-2021-14274



       Article 4, under 1, GDPR. This is because it is possible that the data subject directly or indirectly

       Identifiable is that this is the case with the unique user ID or visitor ID.

   66. In view of the foregoing, the AP concludes that A.S. Watson may collect personal data from visitors to

       kruidvat.nlprocessed.


5.5 Basis for processing data


   67. Now there is a question of processing of personal data, it must then be assessed by A.S. Watson

       there is a basis for this processing. After all, the processing of personal data is only
       lawful if there is a basis for this.     27


   68. A.S.Watson places cookies on the equipment of visitors ofkruidvat.nl (from now on: the data subject) with

       the purpose is to process data. A.S. Watson has been used to place cookies
       consent from the data subject is required. The consent given by the data subject must consist of several

       free, specific, informed and unambiguous expression of will, in combination with an unambiguous one
       activeaction. Silence, the use of boxes or checkmarks already checked, or inactivity applies
       not as permission.  29


   69. The investigation report shows that during a visit tokruidvat.nl the equipment of the person concerned

       cookies are placed before the data subject has given permission for them. This is the point
       followingcookies:


               - Firstparty cookie 'peerius_user';

               - Firstparty cookie 'unless_visitorId';
               - ThirdpartyjavascriptfromUnless;en
                                                                  30
               - Third party tracking beacon from Google Analytics.


   70. This fact in itself constitutes a violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph
       paragraph, under a, GDPR, because without prior consent, thus unlawful, personal data of the

       data subject are processed.





       26
       27CJEU19October2016,C-582/14,ECLI:EU:C:2016:779(Breijer),paragraph 42.
        Article 6, first paragraph, GDPR.
       28See article 4, preamble under 11, GDPR.
       29Consideration 32 of the GDPR; see also CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801(Planet49), paragraph 61-63.
       3 Research report p. 11 and appendix 5 to the research report p. 11 et seq.





                                                                                                      12/29 Date Unmarked
    May 2, 2024 z-2021-14274



71. It also follows from the research report that the websitekruidvat.nl has the checkmark on “agreement” as standard
    selected, so that the data subject is assumed to agree with it by default
                              31
    placing advertising cookies. Wanted to find out whether the data subject is concerned about “advertising cookies”
    have been set, the person concerned must take the following steps.




















72. In the first step at the bottom of the page, the data subject has the choice of “I agree to the use of
    cookies” or “want to know more”.


73. Once you click on “want to know more”, the person concerned will arrive at the second step with a subsequent 'pop-up'

    with the choice of “continue agreeing” or “more information”.





















    31
     Research reportp.12-15.



                                                                                           13/29 Date Unmarked
    May 2, 2024 z-2021-14274



74. Then, at the third step, the person concerned encounters a successive 'pop-up' containing a vertical slider
    which is set to “advertising cookies” by default. The data subject has the option on this screen to opt

    Click on “advanced settings”.



















75. When the data subject clicks on this, a 'pop-up' will appear in the fourth step with the option to

    Allow or refuse functional cookies and advertising cookies.

76. The AP notes that this case concerns pre-checked (advertising) cookies. According to the
                                                         32
    case law of the Court of Justice of the European Union (CJEU) does not
    legally valid consent for placing cookies on the data subject's equipment
    a standard checked check box is used that the data subject must uncheck

    in case he refuses to give his consent. Now that A.S. Watson has made use of the advance
    (advertising) cookies that are checked do not imply that they are free, specific, informed persons

    unequivocal expression of intention by the data subject by means of a statement or a
    accepts unequivocal action regarding the processing of data.


77. The AP concludes with regard to pre-checked (advertising) cookies that there is a
    violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, GDPR because
    A.S.Watson has not received permission as intended for the data subject from the person concerned

    processing of personal data. It follows that A.S. Watson is unlawful, because it is contrary to the
    GDPR, has acted.







    3CJEU1October2019,C-673/17,ECLI:EU:C:2019:801(Planet49),paragraph 63.



                                                                                            14/29 Date Unmarked
       May 2, 2024 z-2021-14274



5.6 Duration of the violation


   78. As of October 1, 2020, A.S. Watson adjusted its working method with regard to asking
       permission to the data subject to place (the aforementioned) cookies during a visit

       kruidvat.nl. This adjustment does not include all other cookies, other than necessary cookies.
       are checked by default.


   79. Furthermore, it follows from the research report that the Third Party Javascript of Unless was published on 11 May 2021
       found before the person concerned had given permission. A.S. Watson has explained
       it has been made plausible that Unless's Thirdparty JavaScript only became active after October 1, 2020

       the person involved had given permission for this. It has now been determined in the investigation report
       that mentioned javascript has been found, without its functionality being apparent, and partly in view of what

       A.S. Watson has argued in her opinion on this point, the AP concludes that A.S. Watson
       October 1, 2020 only places cookies after the data subject has given permission.


   80. This means, as already considered in paragraph 53, that the violation of Article 6, first paragraph, in
       connection with article 5, first paragraph, under a, GDPR took place until October 1, 2020.



 6. Administrative fine


   81. The AP is, on the basis of Article 58, second paragraph, at the beginning and below, in connection with Article 83 GDPR
       read in conjunction with Article 14, paragraph 3, UAVG, the authority to impose an administrative fine.


   82. The case law of the ECJ shows that the wording of Article 83, paragraph 2, GDPR follows
       that infringements of the provisions of the GDPR that are culpable by the controller

       manner committed – that is to say, infringements committed intentionally or negligently – could lead to
       that the controller may impose an administrative fine on the basis of that article
                       34
       be imposed. In this case there is culpable conduct on the part of A.S. Watson for which the AP
       will impose a fine.


   83. It has been concluded above in paragraphs 70 and 77 that A.S. Watson was wrongfully without permission
       has processed data from the data subject and has therefore processed Article 6, first paragraph, in conjunction with
       Article 5, first paragraph, under a, GDPR has been violated. This violation occurred during the period

       from April 28, 2020 to October 1, 2020. This means that there is one behavior for which a
       administrative fine will be imposed.


       3Research report p.20 and appendix 11 to the research report.
       3CJEU5December2023,C-683/21,ECLI:EU:C:2023:949(NVSC)point73and83;CJEU5December2023,C-807/21,ECLI:EU:C:2023:950
       (DeutscheWohnen)point68and76.



                                                                                                15/29 Date Unmarked
      May 2, 2024 z-2021-14274





6.1 Systematics for determining the amount of the fine


  84. When exercising its power to impose an administrative fine, the APobserves both
      Policy rules of the AP regarding determining the amount of administrative fines (Stcrt.2019,
      14586)(hereinafter: Fine policy rules) as the Guidelines 04/2022 for the calculation of administrative

      fines under the GDPR (hereinafter: Guidelines). In the explanatory notes to the Fine Policy Rules 2019
      mention that the EDPB does not yet have common principles for calculating fines

      was established. This was due to legal equality and legal certainty policy
      to determine with regard to the power to impose a fine. Because within the EDPB
      the aim was to arrive at joint principles regarding the fine calculation, this was

      policy is temporary in nature. On 24 May 2023, the EDPB adopted the Guidelines. This policy is
      joint principles have been laid down for the situation in which companies violate the GDPR. In the present

      In this case, the application of the 2019 Fine Policy Rules amounts to the same fine amount as
      applicationoftheGuidelines.


  85. The amount of the fine will be determined as follows:


         1. Determining the starting amount of the fine on the basis of the Fine policy rules;
         2. Consideration of the circumstances based on the Penalty Policy Rules;
         3. Consideration of the circumstances based on the Guidelines;

         4. Determining the amount of the fine and assessing effectiveness, proportionality and deterrence.


  86. These parts are discussed in turn below.

6.2 Determining the starting amount based on Fine policy rules


  87. In this case, the starting point is the applicable bandwidth of the Fine policy rules.

      The AP shall determine the amount of the fine, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act,
      take into account the factors mentioned in article 7 of the Fine Policy Rules. These factors are also included
      Article 83, second paragraph, GDPR appointed in the Guidelines.


  88. For a violation of Article 6, first paragraph, GDPR, in conjunction with Article 5, first paragraph, under

      a, GDPR, the AP may impose an administrative fine up to an amount of € 20,000,000. In the case of a
      company may be fined up to 4% of the total worldwide annual turnover
      previous financial year, if this figure is higher.


      35
      36th Guidelines can be consulted at<edpb_guidelines_042022_calculationofadministrativefines_nl_0.pdf(europa.eu)>.
       EuropeanDataProtectionBoard, or the European Data Protection Committee referred to in Article 68e of the GDPR.



                                                                                                16/29 Date Unmarked
      May 2, 2024 z-2021-14274




  89. Under the Fine Policy Rules, an infringement is classified into a category according to the

      violation of the provision, ranging from category I to IV. The following applies: how important the provision is
      for the protection of data, the higher the category of infringement. The
                                                                                      37
      Penalty policies stipulate that violations of Articles 5 and 6 GDPR fall into category III. The
      bandwidth of this category runs from €300,000 to €750,000. This bandwidth will be
      starting point for the further calculation of the final fine, after consideration

      therelevantfactors.


6.3 Assessment of the circumstances based on the Fine Policy Rules


  90. When determining the amount of the fine, the relevant circumstances are discussed in this case
      assessed on the basis of the factors mentioned in Article 7 of the Fine Policy Rules
      case, the nature and severity, duration of the infringement are taken into account. Other circumstances

      which are taken into account in each case are the categories of personal data concerned
      or there is an infringement that is by nature intentional or negligent.


      i. Nature, severity and duration of the infringement


      Nature of the infringement

  91. With regard to the nature of the infringement, the AP considers that the infringement relates to the principle

      of legality. This is one of the six basic principles of the GDPR and therefore fundamental
      requirement for the protection of data. The principle of lawfulness guarantees the

      control of the data subject over his data. By tacit consent
      Assuming and making use of pre-filled boxes, A.S. Watson has ignored it
      principle of lawfulness and the data subject has a say over his data

      harmed. Moreover, the (European) legislator has emphasized that this method of obtaining consent
      notinlinewithGDPR. 38


      Seriousnessoftheinfringement


  92. When determining the seriousness of the infringement, the AP takes into account the extent of the processing, the
      number of people involved and the damage suffered by them. Furthermore, the AP takes into account how long
      the infringement has lasted, as well as the type of personal data to which the infringement relates.




      37
      38ieFine policy rules 2019, appendix 2.
       Recital 32 in the GDPR.



                                                                                              17/29 Date Unmarked
    May 2, 2024 z-2021-14274



93. With regard to the extent of the processing, the AP notes that there was no question of

    extremely large processing, but there was also no small-scale processing
    The area of application of the processing concerned the whole of the Netherlands. Furthermore, A.S. Watson collected them
    personal data via the website kruidvat.nl operated by her by means of posting

    (tracking) cookies. With regard to the purpose of the processing, the AP takes into account the processing of
    personal data by placing such (tracking) cookies not under any of the

    main activities ofA.S.Watsonvalt.

94. With regard to the number of people involved, the AP notes that A.S. Watson has stated that she

    the period between 29 November 2019 and 25 June 2020 has had approximately [CONFIDENTIAL] visitors
    kruidvat.nl. It is not possible to determine how many of these website visitors are unique visitors.Continue

    A.S.Watson has substantiated that during the period mentioned, in view of the government's
    restrictions imposed in connection with the COVID19 pandemic, there has been an increase in the number

    visitorsopkruidvat.nl.Drogisteriesweredesignatedatthetimeasessentialshopsterwijandere
    shops had to close their doors. The AP deduces from this that the number of people involved is below
    would have been (or would have been) lower under normal circumstances. Given this, the AP judges that even in the case under

    Under normal circumstances the visitor numbers would only be half of [CONFIDENTIAL].
    There is still a substantial number of visitors. This is also the case if, such as A.S. Watson

    itself indicates, only [CONFIDENTIAL] of those visitors make a purchase or only
    [CONFIDENTIAL]is logged in. In all cases it concerns [CONFIDENTIAL] logged in visitors and
    [CONFIDENTIAL]visitors who have made a purchase, who have been affected by the conduct of

    A.S. Watson.


95. With regard to (the extent of) the damage, the AP notes that the person concerned was by A.S.Watson
    control over his personal data, with which A.S. Watson has committed an infringement
    on the rights and freedoms of those involved. In this case, it has not been established that those involved and in concrete terms
                                    40
    have suffered demonstrable damage.


    Duration of the infringement

96. As mentioned in paragraph 5.6, the AP found that the infringement occurred by

    April 28, 2020 to October 1, 2020. The infringement found lasted five months.


97. The AP qualifies the nature of the infringement as serious, due to the violation of two fundamental
    aspects of the GDPR. On the other hand, the infringement was short-lived and the severity of the

    infringement must be qualified as low.


    39
    40 research report p. 19 and appendix 3 to the research report.
     CJEU 5 March 2024, C-755/21, ECLI:EU:C:2022:202(Kočner v Europol) point 135.



                                                                                            18/29 Date Unmarked
    May 2, 2024 z-2021-14274






    ii. The intentional or negligent nature of the infringement

98. Pursuant to Article 7, opening words and subsection b, Fine Policy Rules, the AP takes into account the intentional or

    the negligent nature of the infringement by A.S. Watson. The gravity of the infringement is indeed greater
    weight when the controller has consciously committed an infringement. When the
    infringement is the result of negligent behavior, then the gravity of the infringement has a smaller weight.


99. In this framework, the AP takes into account that A.S. Watson has a method with the previously checked cookies

    followed without regard to the requirement that there must be a free, specific,
    informedan unequivocal expression of will from the data subject by means of
    a statement or an unequivocal action regarding the processing of personal data

    accepts. Furthermore, A.S. Watson has only started adapting its working methods,
    only after she was made aware by the AP in the standard letter of 29 November 2019 that A.S.
    Watson, with its working method, infringes the GDPR. The AP notes that this adjustment determines

    could have been more expeditious.

    iii. The categories of personal data infringed


100. Pursuant to Article 7, paragraph 1, Fine Policy Rules, the AP takes the categories into account

    personal data involved in the infringement. If data have been processed, those special
    deserve protection, the AP qualifies the infringement as more serious
    categories mentioned in articles 9 and 10 of the GDPR.


101.The AP notes that there is no question of processing special data in the sense of
    Articles 9 and 10 of the GDPR. With regard to the amount of data, the AP notes that A.S. Watson

    has processed a limited number of personal data.


102.Based on the considerations under i, ii, and iii, the AP assesses the severity of the violation. The
    The qualifications indicated also determine the amount of the fine within the bandwidth of category III
    Penalty Policy Rules .Taking into account the foregoing circumstances, the AP is of the opinion that this

    case the severity of this infringement must be qualified at a low level.

    iv. Other relevant circumstances applicable to the present case






    4See Fine Policy Rules 2019, appendix 2.



                                                                                          19/29 Date Unmarked
      May 2, 2024 z-2021-14274



  103.The AP has established the other circumstances as mentioned in Article 7, underk, Fine policy rules
      taken into consideration.The long period between providing the research report to A.S. Watson
      and the adoption of this enforcement decision is the reason for the AP to impose the fine from the perspective of

      proportionality.

  104. Furthermore, it has not become apparent that any remaining circumstances referred to in Article 7 of the Fine Policy Rules

      mentioned and views regarding the infringement by A.S. Watson have occurred.


6.4 Assessment of the circumstances based on the Guidelines


  105.The Guidelines describe a methodology that will be considered successively:

         1. What and how many acts and infringements are under assessment;

         2. What amount is the starting point for calculating the fine for this;
         3. Whether mitigating or aggravating circumstances arise, it is open to adjustment
             amountexit2;

         4. What maximum amounts apply to the violations and any increases from the previous ones
             stepnotexceedthisamount;
         5. Whether the final amount of the calculated fine meets the requirements of effectiveness,

             deterrence and proportionality, and if necessary, adjusted accordingly.

  106.The number of actions that resulted in infringements of the GDPR and the starting amount for

      penalty calculation are already qualified under paragraph 6.2.


  107. As well as the Fine Policy Rules, write the Guidelines before the AP considers whether to mitigate or
      are aggravating circumstances that may lead to an adjustment in the classification of the infringement.
      This must be done on the basis of the circumstances stated in Article 83, second paragraph,

      salutationsunderatotenwithk,AVG.

  108.First of all, attention must be paid to the gravity of the infringement. Here is an account

      taken into account the nature, severity and duration of the infringement, as well as the intentional or negligent nature of the infringement
      infringements and categories of processed data. For this purpose, in section 6.3, are these
      factors have already been discussed. This has led to the severity of the infringement being classified as low.


  109.The Guidelines are written before taking into account the size of the company from the point of view of fairness
      must be taken into account when calculating the amount of the fine. The size of the company is determined


      42
       Guidelines,p.17.




                                                                                               20/29 Date Unmarked

      May 2, 2024 z-2021-14274


      based on the turnover. According to the case law of the Court of Justice, the turnover of the entire group must

      are used to determine the upper limit of the fine. A.S. Watson is a full one
      subsidiary ofA.S.WatsonEuropeHoldingB.V.which in turn is a complete

      is a subsidiary of CKHutchisonHoldingsLimited. Therefore, the size of the company
      are determined on the basis of the worldwide turnover of CKHutchisonHoldingsLimited. The turnover 44

      from CKHutchisonHoldingsLimited amounted to €53.5 billion in 2022. The AVG writes a maximum
      fine of 4% of the total worldwide annual turnover for. In this case it is legal
      maximum fine of €2.14 billion.


  110. Then write the Guidelines for the other circumstances from Article 83, second paragraph, GDPR

      are taken into account. As already mentioned, the circumstances that are taken into account
      are stated in that provision (parts, atoms and with k).


      As other circumstances, the AP has taken into account the long period of time between publishing it
      investigation reports the issuance of an enforcement decision. This part is noted as

      mitigation with regard to the amount of the fine.


6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence


  111. In this case, the amount of the fine will, however, be determined by applying the basic fine from the
      concerning category of the Fine policy rules. The amount of the fine will be determined in this specific case

      both the Penalty Policy Rules and the Guidelines lead to the same outcome.


  112. In this case, it concerns an infringement for which category III of the Fine policy rules apply.
      The fine range for category III ranges from €300,000 to €750,000.


  113. In view of all the aforementioned circumstances, the AP will be fined €600,000 due to the
      placing cookies without prior legally valid consent from the data subject

      (Article 6, first paragraph, read in conjunction with Article 5, first paragraph, under a, GDPR). The AP finds this fine
      appropriate commandments.


  114. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. From Article 49,

      third paragraph, of the Charter of Fundamental Rights of the EU and articles 3:4 and 5:46, second paragraph, General Administrative Law Act
      It follows that, given the circumstances of the case, the administrative fine does not lead to a disproportionate penalty

      outcome.

      4GroupeGascogneSA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, §52-57.
      4A calculation based on CKHutchisonHoldingsLimited's global turnover of HK$457 billion, as
      parent company of A.S. Watson. See 2022AnnualResults, p.24.
      4See Article 83, fifth paragraph, GDPR.




                                                                                               21/29 Date Unmarked
      May 2, 2024 z-2021-14274




  115. An administrative fine is effective when the purpose for which it was imposed is achieved.
      The purpose may be to punish unlawful conduct, as well as to promote compliance
      applicable regulations. Given the considerations regarding the nature, severity and duration of the infringement,

      as well as the aggravating and mitigating circumstances of Article 83, second paragraph, GDPR is the AP of
      judges that the present administrative fine achieves both objectives and is therefore effective.


  116. The AP considers the fine proportionate, taking into account the seriousness of the violation. Now violation of a
      of the basic principles of the GDPR has taken place, the AP considers an administrative fine advisable.
      Partly in view of the previously mentioned turnover of €53.5 billion of the group to which A.S. Watson belongs,

      the AP concludes that no such special circumstances have occurred that the
      administrative fine on A.S. Watson would be disproportionate.


  117.Finally, the fine imposed must be a deterrent. This means that A.S.Watson will be in the future
      prevented from an infringement of the GDPR. The AP is of the opinion that the prescribed fine is a
      has a deterrent effect.



7. Conclusion


  118.TheAPlegatestoA.S.WatsonHealth&BeautyContinentalEuropeB.V.for violation of Article 6,
      first paragraph, read in conjunction with article 5, first paragraph, under a, GTC No administrative fines
                              46
      amount of €600,000.



      Yours faithfully,
      Dutch Data Protection Authority,




      mr.A.Wolfsen

      Chair

      Remedies clause

      If you do not agree with this decision, you can do so within six weeks after the date of dispatch of the letter
      decides to submit an objection digitally or on paper to the Dutch Data Protection Authority.

      Article 38 of the UGDPR suspends the submission of an objection to the effect of the decision


      4The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).



                                                                                             22/29Date Unattribute
May 2, 2024 z-2021-14274


imposition of the administrative fine. The AP will only proceed to recovery after the decision

has become irrevocable.
To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Object
against a decision, at the bottom of the page under the heading Contact the Dutch Data Protection Authority.
The address for submitting on paper is:

Dutch Data Protection Authority, PO Box93374, 2509AJTheHague.
Please state 'Awb objection' on the envelope and put 'objection notice' in the title of your letter.
Write in your objection letter at least:
-your name and address;

-the date of your objection;
- attach the reference (case number) mentioned in this letter; or a copy of this decision;
-the reason(s) why you do not agree with this decision;
-your signature.





























Attachment 1






                                                                                      23/29Date Unattribute
May 2, 2024 z-2021-14274


General Data Protection Regulation

Article4


Definitions

For the application of this Regulation the following definitions apply:

1) 'personal data' means any information relating to an identified or identifiable natural data
person ("the data subject"); is considered identifiable as a natural person who is directly or
can be identified indirectly, in particular by means of an identifier such as a name, a

identification number, location data, an online identifier or one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social
identity of that natural person;

2) processing”: an operation or set of operations performed on personal data

or a set of personal data, whether or not carried out via automated processes, such as
collecting, recording, organizing, structuring, storing, updating or changing, querying, consulting,
use, provide by transmission, distribute or otherwise make available

set, align or combine, shield, erase or destroy data;

[…]

7) controller” means a natural or legal person, a
government agency, service or other body that, alone or together with others, serves the purpose of

determines the means for processing data; when the objectives of the
the means for this processing may be laid down in Union or Member State law
it is determined who the controller is or according to what criteria he is appointed;

[…]

11) consent” of the data subject: any free, specific, informed and unambiguous

expression of will expressed by the data subject by means of a statement or an unambiguous statement
accepts action regarding the processing of data;







Article5

1. Personal data must:






                                                                                          24/29Date Unattribute
May 2, 2024 z-2021-14274


a) processed in a manner that is lawful, proper and transparent with regard to the data subject

(legality, propriety and transparency);
[…]

Article6

1. The processing is only lawful if and to the extent that at least one of the following applies
conditions are met:

a)the data subject has given consent to the processing of his personal data for one or
  more specific purposes;


b) the processing is necessary for the performance of an agreement to which the data subject is a party, or
  to take measures at the request of the data subject before concluding an agreement;


c)the processing is necessary for compliance with a legal obligation imposed on the
  controller rest;


d) the processing is necessary for the purposes of the vital interests of the data subject or of another natural person
  protect persons;


e) the processing is necessary for the performance of a task of general interest or of a task in the
  in the context of the exercise of public authority, the data controller is required to do so;


f) the processing is necessary for the purposes of the legitimate interests pursued by the
 controller or of a third party, except where the interests or fundamental rights and
 fundamental freedoms of the data subject that require the protection of personal data are more stringent
 weigh these interests, especially when the person involved is a child.

Point (f) of the first paragraph shall not apply to processing by public authorities in the context of
performance of their duties.

2. Member States may maintain or introduce more specific provisions to adapt the manner
to which the rules of this Regulation regarding processing for the purpose of compliance with
paragraph 1(c) (e) shall be applied; to this end they can provide a further description of specific ones
regulations for processing and other measures to ensure lawful and proper processing

guarantees, also for other specific processing situations as referred to in Chapter IX.
[…]




Article58

Powers




                                                                                          25/29Date Unattribute
May 2, 2024 z-2021-14274


[…]

2.Each supervisory authority shall have all the following powers to take corrective action

measures:

[…]

(i) as appropriate to the circumstances of each case, in addition to or instead of that referred to in this paragraph
measures, imposing an administrative fine on the basis of Article 83;

[…]


Article83

General terms and conditions for imposing administrative fines

1. Each supervisory authority shall ensure that any administrative penalties imposed pursuant to this
article are imposed for the end of paragraphs 4, 5 and 6, infringements of this regulation are mentioned in each case
be effective, proportionately deterrent.

2. Administrative fines are imposed, depending on the circumstances of the specific case

in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j).
it decides on whether an administrative fine will be imposed and on its amount

the following shall be duly taken into account for each concrete case:

(a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose
of the processing in question as well as the number of data subjects affected and the extent of the processing by them
damages suffered;

b) the intentional or negligent nature of the infringement;


c) the measures taken by the controller or processor to
limit damage suffered by those involved;

d) the extent to which the controller or processor responsible is seen
technical and organizational measures he has implemented in accordance with Articles 25 and 32;

e) previous relevant infringements by the controller or processor;

(f) the extent to which it cooperated with the supervisory authority to commit the infringement
to remedy and limit possible negative consequences;

g) the categories of personal data to which the infringement relates;

h) the manner in which the supervisory authority became aware of the infringement, in particular
whether, and if so to what extent, the controller or processor has reported the infringement;





                                                                                         26/29Date Unattribute
May 2, 2024 z-2021-14274


(i) compliance with the measures referred to in Article 58(2), to the extent that they previously concern

of the controller or processor in question in relation to the same
matter have been taken;

j) adherence to approved codes of conduct in accordance with Article 40 or of approved ones
certification mechanism in accordance with Article 42; and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial gains made, or losses avoided, whether or not directly resulting from the infringement
ensue.

3.If a controller or a processor intentionally or negligently with regard to
to the same or related processing activities, an infringement commits more than one
provisions of this regulation, the total fine is not higher than that for the serious infringement.

4. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2

fines up to EUR 10 000 000 or, for an undertaking, up to 2% of the total worldwide annual turnover in
the previous financial year, if this figure is higher:

a) the obligations of the controller and the processor in accordance with this
Articles 8, 11, 25 to 39, 42 and 43;

(b) the obligations of the certification body under Articles 42 and 43;

(c) the obligations of supervision in accordance with Article 41(4).

5. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2
fines up to EUR 20 000 000 or, for an undertaking, up to 4% of the total worldwide annual turnover in

the previous financial year, if this figure is higher:

a) the basic principles of processing, including the conditions for consent,
in accordance with Articles 5, 6, 7 and 9;

(b) the rights of the data subject in accordance with Articles 12 to 22;

c) the transfer of personal data to a recipient in a third country or an international country
organization in accordance with articles 44 to 49;

(d) all obligations under law established by the Member States under Chapter IX;

e) non-compliance with an order or a temporary or permanent processing restriction or
suspension of data flows by the supervisory authority in accordance with Article 58(2) or

failure to grant access in violation of Article 58(1).

6. Non-compliance with an order of the supervisory authority referred to in Article 58(2) is
in accordance with paragraph 2 of this article, subject to administrative fines of up to EUR 20 000 000 or,





                                                                                            27/29Date Unattribute
May 2, 2024 z-2021-14274


for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this

grade higher.

7. Without prejudice to the powers to take corrective measures of the supervisory authority
authority, in accordance with Article 58(2), each Member State may lay down rules concerning the question whether and
to what extent administrative fines can be imposed on persons established in that Member State

government agencies and government bodies.

8. The exercise by the supervisory authority of its powers under this Article is
subject to the appropriate procedural guarantee in accordance with Union law and Member State law
law, including an effective remedy and a fair administration of justice.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may
are applied in such a way that fines are initiated by the competent supervisory authority

and imposed by the competent national courts, ensuring that these remedies are available
are effective and have the same effect as those imposed by supervisory authorities
administrative fines. The fines are effective, proportionate and deterrent in every case

Member States shall communicate to the Commission by 25 May 2018 at the latest the legislative provisions it adopts on the basis of
adopt this paragraph, as well as all subsequent amendments thereto and all matters affecting it
amending legislation.


Implementation Act of the General Data Protection Regulation

Article14

DutiesandauthoritiesAP

[…]

3. The Data Protection Authority may, in the event of a violation of the provisions of Article 83, fourth,
fifth or sixth paragraph of the regulation imposes an administrative fine on at most these members

mentioned amounts.

General Administrative Law Act


Article3:2

When preparing a decision, the administrative body gathers the necessary knowledge about the relevant issues
factsandweighinginterests.



Article3:4






                                                                                         28/29Date Unattribute
May 2, 2024 z-2021-14274


1. The administrative body shall weigh the interests directly involved in the decision, insofar as not stated

a limitation arises from a legal requirement or from the nature of the authority to be exercised.

2. The adverse consequences of a decision for one or more interested parties may not be disproportionate
relationship to the goals to be served by the decision.

Article4:8

1. Before an administrative body issues a decision against which an interested party takes the decision

has not requested it is expected that he will have reservations, it puts the interested party to an end
opportunity to submit his views if:

(a) the decision would be based on information about facts and interests concerning the interested party, and

b) that data has not been provided by the interested party itself.

2.The first paragraph does not apply if the interested party has not fulfilled a legal obligation
to provide data.

Article 5:46

1. The law determines the maximum administrative fine that can be imposed for a specific violation

imposed.

2. Unless the amount of the administrative fine has been determined by statutory regulation, it votes
administrative body administrative fine depending on the seriousness of the violation and the extent to which it occurred
offender can be blamed. The administrative body will take this into account if necessary

circumstances under which the violation was committed.

3. If the amount of the administrative fine has been determined by statutory regulation, it shall be imposed
administrative body shall nevertheless impose a lower administrative fine if the offender can demonstrate that this is the case
established administrative fine due to special circumstances is too high.

4. Article 1, second paragraph, of the Criminal Code applies accordingly.


















                                                                                         29/29