APD/GBA (Belgium) - 113/2024
From GDPRhub
| APD/GBA - 113/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7(3) GDPR Article 5(3) Directive 2002/58 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 06.09.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | MediaHuis noyb |
| National Case Number/Name: | 113/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
The DPA ordered a controller to bring the websites’ cookie banners into compliance with the GDPR by adding the reject button within its first layer and changing the colours used.
English Summary
Facts
A data subject visited four website operated by MediaHuis, namely:
- Gazet van Antwerpen;
- De Standaard;
- Het Nieuwsblad;
- Het Belang van Limburg.
On each website there was a cookie banner which:
- Didn’t contain a reject button within its first layer;Buttons colours were misleading;
- It was not as easy to withdraw consent as it was to give it;
- Contained a reference to the legal basis of legitimate interest.
The data subject filed four complaints referring to abovementioned cookie banners with the Belgian DPA (ADP/GBA). noyb was appointed by the data subject as their representative under Article 80(1) GDPR. MediaHuis was assigned the role of data controller.
According to the controller, the law, especially Article 7(3) GDPR or Article 4(11) GDPR, didn’t prescribe the controller to implement reject button within the first layer of the cookie banner or to use different colours for the buttons or to implement consent withdrawal option in a particular way. The fact that the cookie banners were not in line with the guidelines of different data protection authorities and the EDPB, as mentioned by the data subject, did not amount to violation of the GDPR. Moreover, the data subject gave their consent for processing activities of the controller and, for that reason, they had no interest to bring a case before the DPA.
Holding
The DPA found the controller violated the Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7(3) GDPR.
Firstly, the DPA clarified that for the consent to be freely and unambiguously given under Article 6(1)(a) GDPR and Article 5(3) ePrivacy Directive, the reject button had to be presented alongside the accept button. Otherwise, the data subject would have no real alternative to consenting for placing and processing cookies.
Secondly, the buttons’ colours used by the controller were of deceptive nature. They inclined a data subject to give a consent for the cookies processing. Because of that, the controller was in breach of Article 5(1)(a) GDPR.
Since the cookie banner was lacking of the reject button within its first layer, and the colours used were misleading, the DPA order the controller to bring the cookie banner into compliance with the GDPR within 45 days. The order was combined with a penalty of €25,000 per day and per each website concerned, due if the controller fails to implement the ordered changes. The maximum amount of total penalty was set on €10,000,000.
Thirdly, the controller violated Article 7(3) GDPR. To withdraw the consent given, a data subject had to perform more actions - “click more” – whilst to give a consent only one click sufficed. Nevertheless, the controller updated their websites by adding the reject button to the first layer of cookie banner and the option to withdraw the consent, using the manage link at the bottom of each website. The violation was remedied, accordingly the DPA reprimanded the controller.
Fourthly, the legitimate interest called upon by the controller covered placing and processing of the cookies, which were not “strictly necessary”. The controller’s cookies were of different kind, including the analytical cookies. Especially for the latter, the application of Article 6(1)(f) GDPR is per se excluded and the consent needed to be obtained. Furthermore, by adding the legitimate interest to be a “back-up” legal basis for the cookies related processing, the controller mislead the data subject. The controller violated then Article 6(1)(a) GDPR. Nonetheless, the DPA reprimanded the controller that the legal basis for placing and processing of analytical cookies and other cookies that were not “strictly necessary cookies only was a consent under Article 6(1)(a) GDPR.
In answer to the controller’s claims, the DPA emphasised that:
- the fact that the data subject gave a consent didn’t deprive them from starting the case before the DPA;
- the guidelines of the EDPB were not legally binding, as pointed by the controller, but they played important role regarding the interpretation of the GDPR.
In addition, the DPA excluded alleged pressure put on the data subject by noyb to initiate the proceedings. The controller argued the relationship between the data subject, being a trainee at noyb, was instructed to lodge the complaints with the DPA. Hence there was no legal interest of the data subject in the case at hand. However, for the DPA statements of that kind were unfounded, bearing in mind the facts of the case. In particular, the outcome of the data subject’s hearing before the DPA that proved the data subject’s interest being involved.
Comment
In the case APD/GBA (Belgium) - 112/2024, where the data subject was represented by noyb, the APD/GBA dismissed the case due to the lack of data subject's own interest.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
1/70 Dispute Chamber Decision on the Merits 113/2024 of September 6, 2024
Dossier number: DOS-2023-03279
Subject: Measures regarding cookie banners on the news websites of Mediahuis (websites De Standaard, Gazet van Antwerpen, Het Belang van Limburg, and Het Nieuwsblad)
The Dispute Chamber of the Data Protection Authority, composed of Mr. Hielke HIJMANS, chair, and Mr. Christophe Boeraeve and Mr. Jelle Stassijns, members;
Considering Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Considering the Act of December 3, 2017, establishing the Data Protection Authority, hereinafter “DPA Act”;
Considering the Act of July 30, 2018, concerning the protection of natural persons in connection with the processing of personal data, hereinafter “PD Act”;
Considering the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents of the dossier;
1 The new Internal Rules of Procedure (“IRP”), after the amendments made by the Act of December 25, 2023, to amend the Act of December 3, 2017, establishing the Data Protection Authority (GBA), came into force on June 1, 2024. In accordance with Article 56 of the Act of December 25, 2023, the new IRP applies only to complaints, mediations, inspections, and proceedings for the Dispute Chamber that were initiated on or after that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-gegevensbeschermingsautoriteit.pdf. Cases initiated before June 1, 2024, such as in the present case, are subject to the provisions of the DPA Act as not amended by the Act of December 25, 2023, and the IRP as it existed before that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf.
Has made the following decision regarding:
The complainant: The defendant:
X, represented by noyb – European Center for Digital Rights, hereinafter “the complainant” or “complaining party”;
Mediahuis N.V., represented by Mr. Jan CLINCK, Mr. Pierre ANTOINE, and Mr. Gerrit VANDENDRIESSCHE, hereinafter “the defendant.”
Table of Contents
I. Facts and Procedure ....................................................... 4
I.1. The four complaints ..................................................... 4
I.2. The settlement proposal and the settlement procedure in the proceedings
preceding the decision on the merits .................................... 5
I.3. The proceedings on the merits ........................................... 6
II. Reasons .................................................................. 8
II.1. Preliminary points ..................................................... 8
II.2. The submitted complaint under Art. 80.1 GDPR .......................... 15
II.3. The violations ........................................................ 26
III. Measures and immediate enforceability .................................. 56
III.1. Orders ............................................................... 56
III.2. Warnings ............................................................. 58
III.3. Financial penalties: special considerations .......................... 58
III.4. Immediate enforceability ............................................. 66
IV. Publication of the decision ............................................. 68
I. Facts and Procedure
I.1. The four complaints
1. This dossier is based on four consolidated complaints from one complainant regarding the cookie practices of the defendant on four of its websites:
a. The first complaint concerns the website of ‘Gazet van Antwerpen’ (www.gva.be)
b. The second complaint concerns the website of ‘De Standaard’ (www.standaard.be)
c. The third complaint concerns the website of ‘Het Nieuwsblad’ (www.nieuwsblad.be)
d. The fourth complaint concerns the website of ‘Het Belang van Limburg’ (www.hbvl.be)
2. The complainant is represented by Noyb – European Center for Digital Rights (“Noyb”), which has its registered office in Austria. In each of the four complaints and for each individual website, a mandate signed and dated by the complainant is appended, authorizing the representative to represent the complainant before the Belgian GBA. The scope of the mandate is expressed as follows: “regarding: the collection of my data by placing cookies on the defendant's website,” followed by the identification of each of the aforementioned websites, and subsequently “and taking all necessary measures to enforce my rights, including initiating judicial or extrajudicial proceedings.”
3. The complaints each allege four alleged “violations,” reflecting the complainant's grievances as follows:
• “Violation type 1: No ‘refuse’ option at the first level of information on the cookie banner”
• “Violation type 2: Misleading button colors”
• “Violation type 3: It is not as easy to withdraw consent as it is to give consent”
• “Violation type 4: Reference to legitimate interest”
4. The complaints are submitted, dated July 18, 2023, to the First Line Service of the Data Protection Authority via email. The complaints were formally received after midnight, on July 19, 2023.
5. On August 3, 2023, the First Line Service requested the representative of the complainant to provide the following: “Please inform us about the complainant's interest in filing the complaint, as provided for in Article 60 of the Act of December 3, 2018, establishing the Data Protection Authority.”
6. On August 24, 2023, the complaint was declared admissible by the First Line Service on the basis of Articles 58 and 60 DPA Act, and then the complaint was forwarded to the Dispute Chamber pursuant to Article 62, § 1 DPA Act.
7. On September 1, 2023, the complaining party submitted a document to the First Line Service responding to the inquiry raised by the First Line Service on August 3, 2023, regarding (the legal framework concerning) the complainant's interest and the mandate.
8. In the aforementioned document, Noyb refers to communications sent to the First Line Service on August 17 and 25, 2023, to which the First Line Service responded on August 24 and 29, 2023, respectively. This communication was not added to the current dossier by the First Line Service because this exchange took place in the context of another dossier pending before the GBA; the Dispute Chamber has upheld this approach and confirmed it to the defendant.² Of course, no account is taken of the content of this correspondence in the assessment and decision of the current dossier.
I.2. The settlement proposal and the settlement procedure in the proceedings preceding the decision on the merits
9. On September 21, 2023, the Dispute Chamber issued a letter to the parties stating that it would submit a settlement proposal to the parties within a period of thirty days. In the meantime, the parties were given the opportunity to review the dossier, which both parties requested; they obtained access.
10. On October 20, 2023, a settlement proposal was simultaneously sent to both parties, after which the settlement procedure formally commenced in the sense of Article 95 §1, 2° DPA Act.
11. On October 30, 2023, the representative submitted the complainant's response to the settlement proposal to the Dispute Chamber, proposing a number of adjustments.
12. On November 6, 2023, the Dispute Chamber communicated to the parties that it would not make adjustments to the terms of the settlement proposal due to the comments from the complaining party.
13. On November 7, 2023, the defendant, through its counsel, indicated that the response period set forth in the settlement proposal was unachievable. For that reason, the defendant requested an extension of the response period to December 20, 2023. On November 10, 2023, the Dispute Chamber indicated that it could not agree to the proposed extension at that time but granted a seven-day extension.
14. On November 27, 2023, the defendant forwarded a letter through its counsel, stating that it was not averse to a settlement but desired clarification on several points. The defendant also suggested adjustments to the terms of the settlement proposal.
15. On November 28, 2023, the Dispute Chamber sent an acknowledgment of receipt to the defendant, after which, on December 1, 2023, the Dispute Chamber sent another message stating that a response to the defendant's letter of November 27, 2023, could only be provided later.
16. On December 5, 2023, the Dispute Chamber sent a response to the defendant regarding all aspects for which the defendant requested clarifications or adjustments in the letter of November 27, 2023.
17. On December 11, 2023, the defendant, through its counsel, indicated that it could not accept the settlement proposal in its entirety. The defendant immediately stated in the same letter that it had made a number of changes in response to the 2nd and 3rd grievances of the complainant and that further changes regarding the 4th grievance would still be made. Regarding this last grievance, the defendant stated that it “will not fall back on the legitimate interest to place such cookies.”
18. On December 18, 2023, the Dispute Chamber then formally decided to withdraw the settlement proposal, briefly outlining the reasons for the breakdown of the settlement procedure.
I.3. The proceedings on the merits
19. On February 5, 2024, the parties were notified by registered letter of the provisions mentioned in Article 95, § 2, as well as those in Article 98 DPA Act. They were also informed, pursuant to Article 99 DPA Act, of the deadlines for submitting their defenses. In the letter, the Dispute Chamber invited the parties to take a stance on a number of aspects, outlining potential violations attributed to the defendant.
20. On February 12, 2024, the defendant sent a letter to the Dispute Chamber with several comments and requests related to the procedure, as well as a request to send procedural documents by postal mail rather than electronically. The Dispute Chamber responded to this message on February 19, 2024, and also agreed to extend the previously set deadlines for submissions.
21. On March 27, 2024, the Dispute Chamber received the defendant's defense conclusion; this conclusion was simultaneously provided to the representative of the complainant.
22. On April 17, 2024, the Dispute Chamber received the reply conclusion from the complainant. The representative of the complainant replied on a number of points to the defendant's defense conclusion dated March 27, 2024.
23. The (representative of the) complainant also requested to be heard by the Dispute Chamber, as well as to take the necessary corrective measures. Additionally, the complainant requested that the immediate enforceability not be suspended, as requested by the defendant, since this option provided by the legislator should be interpreted narrowly. Finally, the complainant requested that the decision be published on the GBA website.
24. On May 8, 2024, the Dispute Chamber received the reply conclusion from the defendant; this conclusion was simultaneously provided to the representative of the complainant.
25. On June 17, 2024, the parties were informed that the hearing would take place on July 1, 2024.
26. On July 1, 2024, the parties were heard by the Dispute Chamber.
27. On July 8, 2024, the minutes of the hearing (“PV”) were presented to the parties.
28. On July 12, 2024, the Dispute Chamber received several comments from the complaining party regarding the PV, which it decided to include in its deliberation.
29. On July 12, 2024, the defendant first submitted a number of comments regarding the minutes, claiming that these PV do not faithfully represent the hearing. The Dispute Chamber decided to take these comments into consideration in its deliberation. On July 16, 2024, the defendant then submitted new comments regarding the minutes, which the Dispute Chamber also decided to take into consideration in its deliberation.
30. Simultaneously, the defendant requested a copy of the recording of the hearing, a request based on Art. 95 § 2 DPA Act and Art. 15.3 GDPR. On July 18, 2024, it was communicated to the defendant that they could listen to the complete unedited recording of the hearing at the offices of the GBA, that the data protection officer of the GBA had been involved, and that the deadline for submitting comments on the minutes was extended. On July 31, 2024 – the day the deadline for comments on the minutes expired – the defendant sent a letter to the Dispute Chamber as well as to the DPO of the GBA regarding its request to obtain a copy of the recording of the hearing.
II. Reasons
II.1. Preliminary points
31. A first preliminary point concerns the reply conclusion of the complaining party. The defendant states in its synthesis conclusion that the conclusion of the complaining party should be excluded from the debates, on the one hand, because it was not signed (by the legal mandate holder of the Noyb representative) and, on the other hand, because the conclusion was not drafted in accordance with Article 744 Ger. W.
32. The Dispute Chamber argues why the defendant's argument on this point is legally flawed. Essentially, the proceedings for the Dispute Chamber are governed by the procedural provisions of the DPA Act. The Markets Court has repeatedly stated that the Dispute Chamber is an administrative body, not an (administrative) court in the formal sense.³ In this sense, it cannot accurately be stated that the provisions of the Judicial Code apply to the proceedings before the Dispute Chamber without exception and that they would always apply as lex generalis where the lex specialis of the DPA Act does not provide for regulations.
33. Furthermore, the Belgian legislator has explicitly stipulated in the DPA Act that parties may submit defenses.⁴ The legislator has then left it to the GBA to determine how defenses may be submitted – and if necessary to regulate this in the Internal Rules of Procedure.⁵
34. In the letter of February 5, 2024, the parties were informed about how the conclusions should be submitted. In that invitation, there is no mention of the fact that parties would have to submit defenses in a manner cloaked in formal requirements as alleged by the defendant, nor is there any reference to the Judicial Code. The Dispute Chamber cannot restrict a party's defenses⁶ – mutatis mutandis, this must also apply to how a party formulates and submits its conclusion when nothing has been ‘imposed’ on the parties in advance. The complaining party has complied with the deadlines for submission regarding the submission of the document.
35. Taking all of this into account, it is clear to the Dispute Chamber that the contested document (the reply conclusion of the complainant) should not have been excluded from the debates, that it could seamlessly become part of the Dispute Chamber's deliberation, and that the arguments raised by the defendant to exclude the document from the debates are unfounded.
36. A second preliminary issue concerns new documents submitted at the hearing by the representative of the complainant. The defendant opposes the submission of these documents and their addition to the dossier. Given the late submission of the documents, the opposition from the defendant regarding the submission, and the failure to provide any grounded reason for the delay, the documents are wholly excluded from the debates and will not be taken into account in the deliberations before the Dispute Chamber.
37. The Dispute Chamber points out regarding this second preliminary issue that it, as an agency of a supervisory authority, must be able to consider all elements that have come to its attention, in order to ensure a high level of data protection. This does not preclude the procedure from meeting the requirements of adversarial proceedings and equality of the parties. The procedure provided in the subsection “deliberation and decision on the merits” in Articles 98 et seq. DPA Act aims precisely to provide for an adversarial process. In administrative law, particular account must be taken of the duty to hear and the rights of defense.⁷
38. A third preliminary point concerns the legal appearance of the person who appears in person at the hearing on behalf of the representative of the complainant. At the hearing, the defendant indicates that it has questions regarding the mandate of the person acting for Noyb according to the statutes of this organization.
39. Firstly, it should be pointed out that Noyb has identified itself as the representative of the complainant before the Dispute Chamber, submitting the mandate in this regard, via communication through a specific email address. For the presence of the person in question at the hearing, prior to the hearing, the representative notified via the email address that the Noyb staff member would be present as a representative. The Dispute Chamber is not obliged to ex officio or at the request of the parties to investigate how the designation of this staff member occurred in concrete terms. The notification by the organization Noyb via email of the identity of the staff member in question suffices. For that reason alone, it is sufficiently established that the person could validly appear for Noyb.
40. Additionally, it should be noted that the complainant was personally present at this hearing alongside the staff member from Noyb. Based on the appearance of the complainant, it can be established that the complainant also assumes that the person in question could validly act for the representative Noyb.
41. Therefore, the person in question did indeed appear validly for Noyb at the hearing.
42. As a fourth preliminary point: at the hearing, the complaining party, for the first time and without prior notice, but not in limine litis, questions the “independence” of the chair of the Dispute Chamber in dealing with this case. Furthermore, the complaining party requests the chair of the Dispute Chamber to withdraw. The complaining party refers to anonymous “sources” who allegedly heard in private conversations that there was a strategy to dismiss complaints “from Noyb,” and to a public event attended by the chair of the Dispute Chamber. No further concrete elements are provided that would substantiate the lack of “independence” of the serving member.
43. From the words of the complaining party, the Dispute Chamber understands that it is more about impartiality than independence of the Dispute Chamber.⁸ With such ‘recusal requests,’ the requesting parties must be careful and precise.⁹ Expressing dissatisfaction about (the outcome or course of) a procedure is something different than raising recusal requests regarding members of public institutions, whose legitimacy is precisely based on their independence and impartiality.¹⁰
44. Specifically regarding the oral request of the complaining party for the withdrawal of the chair, the chair decides not to accede to this request for the following reasons.
year of experience at the Bar.
10 The legislator enshrines some elements in Article 44 DPA Act regarding this.
45. First of all, it was well known to the complaining party that the chair was (also) handling this file, at least as recently as February 5, 2024, when the parties were invited to submit their defenses in this dossier in a letter signed by the chair. The complaining party had the opportunity to take the necessary steps to raise this issue. The (extremely) late nature of the request for recusal is in itself sufficient to deny this request.
46. Furthermore, reference can be made to the following facts.
47. It is the defendant who has raised a number of arguments and points in this dossier, highlighting the (procedural) interest and mandate of the representative by the complainant, not the Dispute Chamber. Moreover, in the present dossier, only the First Line Service casually inquired about the (procedural) interest of the complainant, evidently without any detrimental effect for the latter when declaring the complaint admissible. In contrast, the Dispute Chamber did not ask the complaining party in its letter inviting the submission of defenses to further clarify their (procedural) interest or the circumstances of the mandate. Therefore, it is factually incorrect to suggest a bias that can be traced back to a person or a strategy of the Dispute Chamber or its chair. This does not preclude the Dispute Chamber from having the competence to pose such questions to the parties.
48. The complaining party was subsequently able to respond to the aforementioned arguments and points raised by the defendant in the reply conclusion and at the hearing. Nonetheless, at the beginning of the hearing, the complaining party indicated that substantive rather than formal points should constitute the core of the debate, and that the complainant should be subjected to “more thorough scrutiny” than a data controller. This statement is factually incorrect on multiple fronts.
49. Firstly, the settlement procedure itself illustrates that the Dispute Chamber – prior to this decision – proceeded with a process aimed at quickly addressing the grievances formulated in the complaint. Moreover, at that moment, it was even the first time the Dispute Chamber used the settlement procedure in the pre-decisional phase as part of its jurisdiction.
50. The Dispute Chamber moreover does not understand to what extent the complainant would have been subject to a “more thorough scrutiny.” The Dispute Chamber did not ask or suggest anything to the complaining party regarding this prior to the arguments presented by the defendant, and the Inspection Service did not intervene in this dossier. The fact that the defendant presents arguments and points in this regard is the right of a defending party in proceedings with potentially significant corrective measures. Such arguments and points cannot and must not be excluded from the debate.
51. Furthermore, in response to the defendant's inquiry as to whether the latter needed to limit itself to its arguments regarding these procedural elements at the hearing, the Dispute Chamber indicated that it was at liberty to structure its pleadings as it saw fit, but that the hearing, in accordance with the letter of February 5, 2024, “would at least address those substantive points.” The extent to which the substantive aspects constituted (also) the core of the debate is difficult to clarify further.
52. The Dispute Chamber clarifies that the representative of the complainant must separate different formal procedures in which they act for different complainants. In this dossier, the Dispute Chamber did not raise the alleged issue regarding the (procedural) interest of the complainant or the alleged issue regarding the mandate when allowing the dossier and inviting the submission of defenses. In the following parts of the present decision, the Dispute Chamber also dismisses the arguments of the defendant in this regard.
53. The Dispute Chamber cannot be asked not to address the arguments of the defendant or that these arguments should not be subject to assessment. On the contrary, it is precisely the task of the Dispute Chamber to address the raised points and arguments that must be assessed on a case-by-case basis.
54. The Dispute Chamber also judges in an impartial manner, without fear or favor for either party. In this respect, defending parties have the right to a fair analysis of the facts and according to legal standards. A complaining party has no right to preferential treatment procedurally, nor does this party possess the privilege of avoiding a legal debate – potentially to its detriment.
11 The defendant raised a question regarding this to the Dispute Chamber on June 19, 2024, with the complaining party being copied.
12 The Dispute Chamber responded to the defendant on June 21, 2024, and the complaining party was copied.
13 It should also be noted in this context that, procedurally, certain submissions from the complaining party could not be included in this dossier as they were made in the context of another dossier where the representative was acting. See in this regard the exchanges between the defendant and the Dispute Chamber in documents 20, 21, 28, and 32 of the administrative dossier.
14 See, for instance, Judgment of the Brussels Court of Appeal (Market Court Section) dated September 16, 2020, 2020/AR/1160, §5.7: “It is not in accordance with the rule of law that the Dispute Chamber of the GBA could ‘choose’ which argument it provides an answer to or not.”
15 Compare Article 6 ECHR, Article 47 EU Charter of Fundamental Rights, and Article 52 GDPR; although the Dispute Chamber is not a court in the traditional sense, this principle also applies to administrative procedures (ECtHR, Öztürk v. Germany, February 21, 1984, ECLI:CE:ECHR:1984:0221JUD000854479); within Belgian law, the impartiality of administrative bodies is also guaranteed as a principle of good governance, see supra and Judgment of the Council of State, June 22, 2017, No. 238,610.
16 Although the Dispute Chamber is not a legal body, reference can be made to Article 6 Ger. W., which states that judges must apply the applicable legal rules in all matters submitted for their judgment; under Article 57 GDPR, it applies mutatis mutandis to the supervisory authority to process complaints and investigate the outcome, without any indication for preferential treatment. When issues are discussed or treated in an investigation, hearing, or decision, it does not imply that these issues are justified or substantiated.
55. In a credible legal dispute, truth-finding occurs in a thoughtful manner based on facts and qualitative arguments. In this context, (legal) questions must be able to be raised without this in itself implying partisanship.
56. The fact that information may be shared within the framework of the loyal and confidentiality-oriented cooperation and loyal information sharing within and between supervisory authorities in the European Economic Area, which would raise critical legal questions regarding a particular issue, is an inherent element of the cooperation procedure in Chapter VII of the GDPR.18
57. The mere fact that a previous case for the Dispute Chamber with allegedly similar circumstances may lead to a potentially detrimental outcome for the same party or its representative does not justify recusing a sitting member in another (i.e. this) case.
58. When a party disagrees with a decision of an authority, it is free, under Article 78 GDPR, to appeal that decision. In Belgian law, this can also be done, according to Article 108, §3 DPA Act, by any third party with an interest before the Market Court. Therefore, if Noyb believes it is a relevant stakeholder, it has potentially the right of access to the courts. The fact that no appeal could be lodged in a previous case because the involved complainant did not wish it, as raised at the hearing, is not a fault attributable to the Dispute Chamber and is not relevant.
59. Finally, as a fifth and final preliminary point, after receiving the minutes in this file, the defendant informed the Dispute Chamber on July 12, 2024, that it found these minutes “not a faithful representation” of the hearing and that this could violate the rights of defense. In this context, the defendant requested a new set of minutes to be drawn up.
60. On July 23, 2024, the Dispute Chamber informed the defendant that the audio recording could be listened to in full and unedited in the premises of the GBA, after having previously extended the deadline for submitting comments on the minutes until July 31, 2024.
61. The Dispute Chamber refuses the requested copy for the following reasons.
62. First and foremost, the preparation of the minutes by the Dispute Chamber and their submission to the parties is not a legal right, but merely an initiative of the GBA to formally record the hearing in the administrative dossier, as well as to formalize elements that were not raised during the conclusions. The Internal Rules of Procedure state that it is merely a representation by means of a synthesis; the minutes state explicitly: “The present minutes aim only to mention specifications and additions raised during the hearing, without repeating the elements laid out in the written conclusions of the parties.” (the Dispute Chamber emphasizes in light of this decision)
63. In this regard, the Dispute Chamber has taken note of everything that was said at the hearing. The defendant elaborately presented its arguments in its conclusions (including table of contents and overview of documents, the synthesis conclusion totals 117 pages). The Dispute Chamber did not reiterate similar elements mentioned during the pleadings in the minutes, only referencing that the pleadings addressed “formal” and “substantive” elements – elements retrievable in and repeatedly identical to the synthesis conclusion. Any questions or substantively new comments raised at the hearing were included in the minutes.
64. Secondly, the Dispute Chamber states that the objective of the minutes is not to provide an exhaustive overview of what was said during the hearing. An exhaustive overview is not only of little relevance regarding the right to be heard as outlined by law, it is also undesirable for the proper functioning of the procedure for the Dispute Chamber and for smooth proceedings for the parties. The debates are not reopened after the hearing is concluded, as clearly stated in the minutes themselves. According to the principle of effectiveness, the GDPR must be capable of being upheld usefully: unnecessary additional elements to the procedure are not only undesirable, they are also unlawful according to that principle.
65. An exhaustive transcript of everything said during a hearing, such as in this case lasting 1.5 hours, would yield several dozen pages of minutes; this would undermine the procedural value of a hearing.
66. Finally, regarding the request, the defendant points out that it would have the right under Article 95 § 2 DPA Act to a copy of the recording as it is part of the dossier. This is incorrect. The minutes are the document that is recorded in the dossier; additionally, parties' comments on those minutes are added to the dossier. The audio recording merely facilitates the drafting of the aforementioned minutes and is not a document of the administrative dossier. The right to be heard, as laid out in Article 98, 2° DPA Act, does not extend to obtaining a copy of the audio recording of the hearing. In any case, after the hearing has concluded, the debates are closed, so access to the copy of the audio recording under Article 95 § 2 DPA Act – a legal provision dealing with the copy of the dossier when enabling the case – is definitely not an issue.
67. For all these reasons, the request of the defendant for the preparation of a new – more exhaustive – set of minutes of the hearing dated July 1, 2024, is rejected.
68. For the transparency of the procedure, it should be noted that several lawyers from the defendant requested a copy of the audio recording of the hearing under Article 15.3 GDPR, via messages sent to the Dispute Chamber on July 18 and July 31, 2024. In the message of July 31, 2024, several lawyers from the defendant addressed both the Dispute Chamber and the data protection officer (“DPO”) directly. Once any lawyer referred to Article 15.3 GDPR on July 18, 2024, the DPO of the GBA was informed of the request. This exercise of a right under Article 15.3 GDPR does not fall under the administrative procedure preceding this decision.
II.2. The lodged complaint under Article 80.1 GDPR
II.2.1. Legal Framework
69. Article 80 GDPR states the following: Representation of data subjects
1. The data subject has the right to mandate an organ, organization, or association without profit motive, which is duly established according to the law of a Member State, whose statutory objectives serve the public interest and which is active in the area of protecting the rights and freedoms of the data subject in relation to the protection of their personal data, to submit a complaint on their behalf, exercise the rights specified in Articles 77, 78, and 79 on their behalf, and exercise the right to compensation under Article 82 on their behalf, if the law of the Member State provides for this.
2. Member States may determine that an organ, organization, or association as referred to in paragraph 1 of this article has the right to submit a complaint independently of the mandate of a data subject in that Member State to the supervisory authority competent under Article 77 and to exercise the rights specified in Articles 78 and 79, if it believes that the rights of a data subject under this regulation have been violated as a result of processing. In this regard, Recital 142 of the preamble is also relevant: When a data subject believes that their rights have been infringed under this regulation, they should have the right to authorize organs, organizations, or associations without profit motive, duly established under the law of a Member State, whose statutory objectives serve the public interest and which are active in the area of protecting personal data, to submit a complaint on their behalf to a supervisory authority, to exercise the right to an effective judicial remedy on behalf of data subjects, or to exercise the right to receive compensation on behalf of data subjects, if this is provided for in the law of the Member State. Member States may determine that these organs, organizations, or associations have the right to submit complaints in that Member State, irrespective of any authorization by a data subject, and to have the right to an effective judicial remedy if they have reasons to believe that the rights of a data subject have been violated due to personal data processing that infringes this regulation. For these organs, organizations, or associations, it may be determined that they do not have the right to claim compensation on behalf of a data subject without the authorization of the data subject.
II.2.2. Context of the complaint
70. The manner in which the complainant, in consultation with Noyb as a representative, can be visualized is as follows. [Image]
71. First it is undisputed that Noyb is engaged in projects related to lodging complaints regarding cookies and cookie banners. Noyb has publicly communicated about projects in this regard that bundle a number of similar complaints, and the status of the projects is publicly maintained on Noyb's website.²²
72. Second, there was undeniably a internship relationship between the complainant and their representative in the present dossier at the time of the findings that led to the documents attached to the complaint. The complainant was also an intern when Noyb was mandated to submit the complaint.
73. Third, there is NO demonstrable link between the lodging of the complaint in this dossier by the complainant (including the mandate of Noyb by the complainant) and other cookie projects initiated by Noyb as an organization. However, Noyb did issue a press release on the day the complaints were lodged, stating that “fifteen” complaints were filed against Belgian media websites. The complainant did not submit each of those fifteen complaints.²² Reference is made among others to documents 4, 5, and 6 in the defendant’s synthesis conclusion, including a reference to the webpage titled “Noyb wants to put an end to ‘cookie banner terror’ and files more than 500 GDPR complaints” (example document 4).
74. This does indicate a certain form of coordination, but it is nowhere established that any coordination took place before the complainant's grievances arose, nor before the mandate of Noyb by the complainant. In that sense, it cannot be established that any pressure from Noyb on the complainant could have occurred.
75. It should, however, be noted that this fact is not undisputed, as the defendant indicates that the interest of the complainant as a data subject has not been demonstrated, and that the findings or grievances cannot be completely disconnected from the organization Noyb. The defendant refers, among other things, at the hearing to the fact that the finding was made with work materials during working hours, and that there is talk of a project at Noyb (and not a complaint of the complainant as an individual).
76. Fourth, the complainant believes that a breach of the GDPR has occurred and that he has been harmed in his rights.
77. Fifth, a complaint was filed on behalf of the complainant by Noyb as their representative. The complaint was formulated and submitted to the Belgian supervisory authority in consultation with the complainant, and was lodged with the First Line Service of the GBA without any alleged formal deficiencies.
II.2.3. No direct evidence of ‘fictitious’ mandate and present (procedural) interest on the part of the complainant
Position of the complaining party
78. In her reply conclusion, the complaining party addresses the “admissibility” of the complaint. The Dispute Chamber summarizes the position. In a first part regarding this, the complaining party argues concerning the “admissibility under Article 77(1) in conjunction with Article 80(1) GDPR.”
a. Firstly, the complaining party states in the section “burden of proof” that the complaints and attachments demonstrate a personal connection between the complainant and the data processing, inter alia, because the complainant visited the websites, from which the necessary indications arise for the violations described in the complaint. In this regard, the complaining party further states that the GDPR does not impose requirements on the content, form, or scope of the complaint and neither on the evidence that should be provided by the complainant. Furthermore, the complaining party states that it is the data controller who bears the burden of proof that the GDPR is being complied with, not the complainant.
b. Secondly, the complaining party argues in the section “the relevant processing violates the GDPR” that the complaints...
Describing where GDPR violations occur
The complaining party states that the GDPR or the DPA Act does not require that the involved complainant first exercise their rights against the data controller. Furthermore, the complaining party points out that the defendant did not accept the cookie banners following the settlement proposal, and that there are still unlawful cookie banners in place.
c. Thirdly, the complaining party asserts in the section “sufficient personal interest” that the complainant has visited the websites and that personal data was processed during this time. The complainant has then chosen to be represented by Noyb, in accordance with Art. 80(1) GDPR. The representation can always be terminated, and Art. 80(1) GDPR does not impose a limitation on granting such a mandate during or after a “direct subordinate relationship” between the complainant and the representative. Furthermore, the complaining party states that the Court of Justice of the EU has accepted that a person who is (or has been) employed by Noyb may be represented by the latter, and that the argument of invalid representation by Noyb has repeatedly been dismissed in ongoing cases involving Noyb. Additionally, Noyb points out that the decisions of the Dispute Chamber do not have precedential effects.
d. Fourthly, the complaining party states in the section “Incorporation under Belgian law (Art. […] 220§2,1° GBW)” that the GBA has previously endorsed that this Belgian provision is stricter than Art. 80(1) GDPR and that it excludes it in the sense that non-compliance has ‘no impact’. The complaining party further states that the GBA must exclude the operation of the national provision to ensure the full effectiveness of EU law and thus allow Noyb as a representative under Art. 80(1) GDPR; Noyb is validly established under the law of a Member State, in this case, Austria.
79. In a second part regarding this matter, the complaining party argues about the “admissibility under Art. 80(2) GDPR”:
a. The complaining party contends that there is a valid representation ex Art. 80(1) GDPR so that a question of admissibility under Art. 80(2) GDPR is not relevant. In this context, the complaining party notes that Noyb may initiate legal action in accordance with Art. 17 Ger. W. and that there is no reasonable justification for not allowing Noyb to independently file a complaint with the GBA. The complaining party further points out that the legislative history of Art. 17 Ger. W. does not state that this provision is not applicable for procedures before the (Dispute Chamber of the) GBA. On the other hand, according to the complaining party, the legislative history of Art. 58 DPA Act indicates that “everyone” can submit complaints, including legal entities and associations. Moreover, the complaining party argues that allowing Noyb to access a court as an independent party while not allowing it before the GBA would constitute a violation of the equality principle under Art. 10 of the Belgian Constitution. The complaining party concludes: “The fact that Noyb would have sufficient interest in filing complaints such as these follows from Noyb's statutes.”
Position of the Defendant
80. The position of the defendant is clarified in two of its arguments as follows (the Dispute Chamber summarizes):
2nd argument (as a primary order): Absence of sufficient personal interest on the part of the complainant:
a. In this argument, the defendant first asserts, summarized, that there is “no credible evidence or claim of processing of personal data of the complainant” presented in the complaint. According to the defendant, it is uncertain whether the complainant himself visited the relevant websites. The defendant states that based on “further investigation,” for example, it finds that a number of “false or at least flawed claims” can be read in the complaint – and refers for each of the four complaints to the fact that references to news pages (web pages) included in the evidence pertained to dates after the date on which the complainant claimed to have visited the websites. Additionally, the defendant points out other inconsistencies in the submitted documents.
b. Secondly, this argument states, summarized, that the “relevant processing” does not violate the GDPR. The defendant argues that the complainant, as a data subject, has given consent and that he consulted the various layers of information, as evidenced by the documents. Moreover, the defendant cites that the complainant did not exercise his rights against the defendant. This means, according to the defendant, that the Dispute Chamber cannot order the deletion of data in the sense of Article 17 GDPR or order that this deletion or rectification be communicated to third parties in the sense of Article 19 GDPR.
c. Thirdly, the defendant asserts, summarized, that the “data subject” (complainant) has no sufficient personal interest and that the representative acts under a fictitious mandate. The defendant refers to press releases from Noyb regarding its actions against “cookie banner terror” as well as a specific press release concerning the settlements of the Dispute Chamber. The defendant cites the following passage from this latest press release from Noyb: “Noyb files 15 complaints against the aforementioned media sites to force them to adjust their cookie banners.” Furthermore, the defendant points out that the complainant was an intern at Noyb at the time of the visits to the contentious websites, and that the visits to the websites were not spontaneous (given the limited time spent – less than 1 minute per website), that the geographical data concerning the website visits trace back to Austria, that the complainant himself indicates he is acting against a general practice, and that he lodged complaints against other media companies on the same day. Additionally, the defendant points out that the letter to the First Line Service by Noyb on September 1, 2023, does not demonstrate that the complainant indeed holds the required personal interest, and that the Dispute Chamber in a previous decision in a similar case (Decision 22/2024 of January 24, 2024) already ruled that Noyb's mandate is fictitious.
d. Fourthly, the defendant claims that Noyb is abusing rights because it uses the complaints procedure to “realize its own publicly announced program through a fictitious mandate of a subordinate intern.” Furthermore, the defendant states: “In this way, Noyb sought to circumvent the non-transposition of Article 80.2 into Belgian law.” The defendant cites several other elements and concludes: “Noyb thus used the complaints procedure with the GBA for a purpose other than that for which the procedure is intended. This is an abuse of rights.”
e. Finally, the defendant responds to several points from the conclusion of the complainant. In this regard, the defendant notes that the complaining party does not respond to “multiple – earlier factual – arguments” from the defendant and that these facts are therefore not disputed.
3rd argument (subordinate): NOYB cannot independently file a complaint
a. In this argument, the defendant first asserts, ‘as a primary argument’, that the complainant's mandate is limited to Article 80.1 GDPR. The defendant states that the Dispute Chamber cannot assess the elements of the complaint under Article 80.2 GDPR; in that case, the Dispute Chamber would be ruling “ultra petita.”
b. Secondly, in a subordinate manner, the defendant asserts that Article 80.2 GDPR does not apply in Belgium. The defendant refers to the Belgian legislator's choice not to activate this provision through national law.
c. Thirdly, and also in a subordinate manner, the defendant states that Noyb itself cannot file a complaint as it does not possess sufficient personal interest.
d. Fourthly, the defendant provides a rebuttal to what was stated in the conclusion of the complaining party, namely that sufficient interest for Noyb follows from the statutes of that organization. The defendant states that the statutes of Noyb only reveal the general, public nature of the interest.
Assessment by the Dispute Chamber
81. The representative of the complainant is generally actively working to expose certain practices in the field of data protection law. These general organizational goals alone do not suffice to speak of a fictitious mandate under Article 80.1 GDPR. The defendant raises a number of (sub)arguments in its defense to argue that there are various issues regarding the mandate. However, the Dispute Chamber finds no direct indications or evidence in any of these arguments to claim that the mandate is fundamentally defective, let alone that it was established in a ‘fictitious’ manner in this dossier. The Dispute Chamber argues as follows.
82. Firstly, it is indeed the case that Noyb has previously engaged in several projects where it sought to address certain practices through complaints. The mere fact that fictitious mandates would have been formulated in that context does not suffice to assert that Noyb cannot represent data subjects concerning the same matter. Moreover, there is no formal indication that Noyb itself initiated the approach to encourage the complainants to file complaints with a specific concrete content.
83. Secondly, the complainant emphasizes at the hearing that he independently visited the websites and had issues with the practices of the data controller, specifically after gaining knowledge of the settlement decision from the Dispute Chamber regarding the websites. Moreover, the complainant is Dutch-speaking, so it is not inconceivable that the complainant also incidentally or routinely visits the contentious websites and has an interest in ensuring that the processing of personal data is carried out properly when this happens. Therefore, when the complainant states that he visited the website independently – albeit on a work laptop – and feels aggrieved, without any indication of prior instruction or pressure from the representative, the legitimate, direct, and personal interest is established. There is no indication of abuse of rights.
84. It should be emphasized, as the complaining party rightly notes, that in the context of the right to complain, a data subject only needs to “believe” that their rights have been infringed. Furthermore, A fortiori, Recital 143 – regarding the mandate by a data subject – explicitly states that a data subject has the right to mandate an organization as soon as that person “believes” that their rights have been violated. That the representative subsequently makes their expertise available in the context of the representation mandate, to gather additional evidence, can indeed be considered a good practice.
85. In summary, the mandate has been validly granted under Article 80.1 GDPR.
86. Thirdly, it is indeed prudent to enter into a mandate under Article 80.1 GDPR when a working relationship (an employment relationship, an internship relationship, or others) is involved. Problems (such as conflicts of interest) may indeed arise concerning the internship relationship; however, the Dispute Chamber reads or finds no argument that indicates that the internship relationship in this instance stands in problematic relation to the mandate to file the complaint. It is legally and sensu stricto not excluded that the representative can also serve as an internship supervisor.
87. It is up to the representative to assess, within the framework of the applicable legal provisions, whether the representation relationship is appropriate. The Dispute Chamber will only intervene when there are clear indications that the legal requirements for a valid representation have not been met, or when the integrity of the procedure is at stake. This is the case, for example, when a mandate is established in a fictitious manner, or when the grievances are demonstrably ‘steered’ by the representative.
88. It is also worth noting that there is a difference between, on the one hand, being asked – however informal it may be – by an employer or ‘intern supervisor’ to give consent for something, versus, on the other hand, independently approaching the internship supervisor or employer to grant a mandate for representation. In this instance, there is no factual indication that the first situation applies, so there can be no legal defect in the mandate. Moreover, the complainant has also indicated in so many words at the hearing that he himself (albeit in consultation with another person who was also a trainee at the same time) independently identified a problem with the contentious websites. There is no evidence to suggest that this statement from the complainant is not truthful: the complainant raised this issue in person at the hearing.
89. The fact that trainees are provided with a forum to lodge complaints regarding alleged unlawful processing of their own personal data or related infringements is not problematic per se, as long as this occurs within the legal provisions23 and without prior instructions regarding, for example, the identity of the data controller and the specific infringements being alleged. Providing such a forum may also include offering work materials and a physical workspace to individuals. Strategic coordination between the complainant and their representative regarding how a complaint is lodged, which infringements are focused on, and how the content is presented can indeed only occur after such grievances have arisen.
90. It is of course not excluded that the complainant's objective to be represented in addressing the alleged infringed rights he wishes to see upheld aligns with Noyb's organizational objectives to ensure compliance with the rules on lawful data processing regarding cookies in the public interest.
91. In summary, there is no indication that the mandate is fictitious. The complainant has a direct and personal interest and has granted the mandate independently, not at the instruction of the representative.
92. Fourthly, the defendant rightly observes that several ambiguities, errors, or deficiencies arise from the evidence (in interaction with the content of the complaint itself). However, these aspects seem to indicate more of a careless presentation of evidence by the complaining party and/or the representative, specifically regarding the dating of such documents, rather than fundamental problems surrounding the representative's mandate. The complainant also claims to have visited the web pages himself, which is challenged by the defendant. In any case, the inaccuracies or errors are not of such a nature that they should lead to the dismissal of the dossier in the present case.
93. At the hearing, the complaining party acknowledges that not all documents in the complaint and the administrative dossier have been accurately labeled or described. However, the complainant states that he took the initial screenshots and thus raised the initial grievances that form the basis of the complaint. Regarding the HAR files (which contain a representation/recording of network traffic at a given time, showing the placing and reading of various cookies on the contentious websites) attached to the complaint, it is further raised that they were not generated by the complainant (but by staff of the representative). Here, the complaining party indicates that the HAR files do not serve to demonstrate the processing of personal data of the complainant as a data subject but rather to frame the general practices of the defendant.
94. All of this provides no direct evidence for a problem regarding the (fictitiousness of) the mandate. The complaining party is open about the approach, and everything indicates that additional evidence was gathered after the grievances arose for the complainant. Moreover, the defendant does not dispute that the screenshots and practices displayed on those screenshots were indeed real screenshots taken from the contentious websites.
95. The same applies to the HAR files that were attached from the contentious websites. In this instance, the defendant considers the dating or the acting person behind the document to be unclear, but the Dispute Chamber contemplates in this regard that there is no indication that the documents would have been manipulated in any way. Moreover, particularly the HAR files play no role in the further assessment by the Dispute Chamber, notably because these files are not relevant for the violations subsequently identified.
96. Regarding the screenshots, it is established that it is the complainant who has taken note of the cookie banners and their various layers; at least part of the screenshots attached to the complaint was initially generated by the complainant.
97. It can be considered good practice that when Noyb represents a data subject, it ensures that the necessary evidence is gathered as the representative; there is no need for the complainant to initiate when they mandate Noyb to raise a predetermined case (with grievances traceable to the complainant's own initiative), so long as the evidence supports the complaint. In this sense, it is certainly not the case that the Dispute Chamber deems documents provided by the representative inadmissible.
98. In summary, the incorrectly labeled, qualified, or otherwise deficient documents are not of such a nature that they indicate a problem concerning the interest of the complainant or the representation mandate, nor do they lead to the need to dismiss the dossier. The decision rests solely on the evidence whose authenticity is established or on documents or elements presented by the defendant themselves.
99. Fifthly, it is by no means the case that a complaint should be dismissed in any instance because a complainant (in this case still as a data subject) has not first approached the data controller, or that the Dispute Chamber would be unable to take measures when a data subject has not first approached the data controller. Depending on the circumstances, it is not even necessary for a person’s personal data to be processed for a complaint to be addressed by a supervisory authority – despite some legal discussions about this previously.24 However, it is true that the Dispute Chamber and the GBA as a whole – in light of their limited resources – strive for the most efficient processing of complaints, where the non-exercise of rights can certainly play a role in the assessment of whether or not to dismiss a complaint. Such an assessment is not in question here and now by the Dispute Chamber.
100. In conclusion: for all these reasons, all arguments put forward by the defendant concerning aspects of the representation mandate and the mandate of the representative by the complainant in this dossier are unsubstantiated. The Dispute Chamber rules that the representation is legally valid under Article 80.1 GDPR, and that the complainant has a personal, direct, and established interest in the processing of personal data underlying the present complaint procedure. No further discussion is provided on the parties' arguments concerning the role of Article 80.2 GDPR in this dossier, since this provision does not play a role in this case.
II.3. The violations
II.3.1. A comprehensive “refuse all” option at the first layer of cookie banners
Position of the complaining party
101. The position of the complainant regarding this point is as follows: “None of the […] cookie banners on the websites of the defendant [respondent] contains an “All refuse” button at the first level but only a button with “Agree and close” and a button with “More information.” The option to refuse all cookies simply and at once is intentionally hidden by the defendant [respondent]. Since no “All refuse” option is included at the first level of information on the cookie banner and the acceptance of all cookies is thus many times easier than refusing them, there is a “default effect” for and encouragement to accept all cookies (cf. Recital 32 GDPR). Based on this, the consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), resulting in the consent obtained from the complainant being invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 GBW). Consequently, the defendant [respondent] cannot demonstrate that the complainant has given consent for the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR).
the EDPB Cookie Banner Taskforce Report emphasizes again that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is considered a violation by a significant majority of data protection authorities. […] As previously raised in the complaint, this prevailing legal opinion also follows from guidelines of national supervisory authorities from France, Germany, Denmark, and Finland. Additionally, the guidelines from the Netherlands and Austria can be added to this list. The GBA explicitly states: “A ‘Manage Settings’ button is thus not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies also constitutes a violation of the principle of due process laid out in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first informational layer of the defendant's cookie banners constitutes a violation, however, not only involves applying the guidelines of supervisory authorities, but is also a direct and concrete application of the legislation (in accordance with prevailing legal opinion). From a one-time approved action plan or individual (old) decisions of the Dispute Chamber in specific cases, where an “All refuse” button was not the subject, its value cannot be attributed as the prevailing legal opinion. […] As previously mentioned in this conclusion, the Markets Court confirmed that the decisions of the GBA's Dispute Chamber do not have precedent power.
Position of the Defendant
102. The position of the defendant in its synthesis conclusion is as follows (the Dispute Chamber summarizes):
4th argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not render consent invalid
• Firstly, the defendant states that the alleged violation is “without purpose because the complainant gave his consent.” The defendant argues that as soon as a data controller obtains the consent of the data subject, there is a legal basis to process the data lawfully; the defendant points out that the complainant gave his consent.
• Secondly, the defendant states that the obligation to place the ‘refuse’ option in the first informational layer is not evident in any legislation. The defendant states that valid consent can be obtained “even when there is no ‘refuse’ option at the first informational level of the cookie banner.”
• Thirdly, the defendant indicates that the consent requirements under Article 7 GDPR have indeed been respected. The defendant states that Article 7 GDPR does not imply a requirement to have a ‘refuse’ option in the first informational layer of the cookie banner. The defendant highlights that Article 7.3 GDPR addresses the withdrawal of consent: “The GDPR does not set out similar requirements for refusing consent at a time when no consent has yet been given.” Furthermore, in this context, the defendant points out that Article 4.11 GDPR also does not require having a ‘refuse’ option at the first layer of the cookie banner: the expression of will can, according to the defendant, take place in a free, specific, informed, and unequivocal manner. In any case, the expression of will occurs actively.
• Fourthly, the defendant asserts that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant specifically refers to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, in particular in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implicit consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant indicates that the cookie banner is in accordance with the guidelines of the EDPB regarding consent. The defendant states that it finds nothing indicating the requirement of a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant notes that the cookie banner complies with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, also does not contain the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not stipulate what buttons must appear at the first informational layer of a cookie banner.”
• Seventhly, the defendant argues that no violation occurs solely because the practice is not in accordance with “policy documents of authorities.” The defendant emphasizes that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that it understands from the EDPB Cookie Banner Taskforce report that a number of authorities believe that the absence of an ‘all refuse’ option on the same level as an ‘all accept’ option does not constitute a violation of Article 5(3) ePrivacy Directive, which indicates to the defendant that there is no consensus on this among European supervisory authorities. Furthermore, the defendant stresses that the GBA is “not consistent” in the information provided to the public, pointing out the difference in cookie web pages on the “citizen” section of the GBA website versus the “professional” page on the GBA website. The defendant also mentions that the information on the “professional” website is unclear and links to non-professional web pages on the GBA website. The defendant had these inconsistencies noted by a bailiff on November 27, 2023, and submitted the findings as evidence.
• Finally, the defendant also replies to the conclusion of the complainant.
Assessment by the Dispute Chamber
103. Article 10/2 PD Act states: In accordance with Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communication and without prejudice to the application of the Regulation and this Act, the storage of information or the acquisition of access to information that is already stored in the end device of a subscriber or user is only permitted on the condition that: 1° the subscriber or user receives clear and precise information about the purposes of the processing and their rights under the Regulation and this Act; 2° the subscriber or end user has given their consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the end device of a subscriber or end user, with the sole purpose of carrying out the transmission of a communication via an electronic communication network or providing a service explicitly requested by the subscriber or end user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)
104. The European Data Protection Board (EDPB)26, just like the European Court of Justice (ECJ)27, has stated that the requirements concerning the notion of “consent” in the ePrivacy Directive must meet the requirements of consent under the GDPR.28 This is particularly true for those cookies that involve data processing: as the “Cookie Banner Taskforce” report of January 17, 2023 states, such processing implies that at the time of granting consent, this consent must meet the requirements of the GDPR.29
105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which they signify agreement to the processing of personal data relating to them, by means of a statement or by a clear affirmative action;
106. Article 6(1) GDPR states: Processing shall be lawful only if and to the extent that at least one of the following applies:
27 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §6-7.
37 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §39: “For consent to be freely given, access to services and functionalities must not be conditional on the consent of a user to store information or obtain access to information already stored in an end-user's device (the so-called cookie walls).”
38 See also the examples cited in the GBA’s “cookie checklist”, available at: https://www.gegegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf, vn. 3: “A ‘Manage settings’ button is not sufficient alongside an ‘accept all’ button, also see the prior press release regarding that from the Data Protection Authority: https://www.gegevensbeschermingsautoriteit.be/burger/nieuws/2023/02/10/cookiebanners-de-edpb-publiceert-voorbeelden-van-niet-conforme-praktijken.”
107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer.30 Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.31
108. Consent is not “free” when the data subject who does not wish to grant their consent (in the sense of Article 10/2, first paragraph, 2° PD Act) is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be considered freely given if the data subject has no genuine or free choice . . .”32 A choice implies at least an equally valid option to perform an act of refusal (not consenting) in the same manner as the act for which the choice is presented (consenting).33 Additionally, it should be noted that the involved visitor cannot close the cookie banner without making a choice, which constitutes a problematic form of so-called cookie wall.34
109. The fact that consent is not granted freely is sufficient to conclude that consent is not validly offered as a choice and cannot be obtained.
110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “consent to all” option in that layer, but in any case in less clear colors than the “agree and close” option in the first layer, and with a number of other buttons displayed below in a similarly equal manner.37 As an example (mutatis mutandis applicable to the four contentious websites) on the website of De Standaard, from a screenshot in the synthesis conclusion of the defendant from the second layer:
38 A clear contrast with the ‘agree and close’ button in the first layer of the cookie banner: ---- Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) for storing and/or accessing information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, and product development, social media functionalities, personalized advertising, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you agree to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of every page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, ad and content measurement, audience insights and product development, Information stored and/or accessed on a device. Refuse all. Agree to all + Store and/or access information on a device. Disagree / Agree + Ad and content measurement, audience insights, and product development. Disagree / Agree + Personalized content. Disagree / Agree + Personalized ads. Disagree / Agree + Social Media. Disagree / Agree + Advanced measurement. Disagree / Agree + Using limited data to select content. Disagree / Agree + View partners Set all your preferences to save and proceed. ----
111. It is essential to balance the right to data protection with other fundamental rights40 – such as freedom of enterprise41 – but when the legislator imposes a requirement for consent for certain processes (under the ePrivacy Directive as transposed in the PD Act), that consent must, of course, meet the specific requirements set by the same legislator (under both the ePrivacy Directive and the GDPR).
112. Therefore, when it is established that, under applicable law, consent must be obtained for the placement of non-essential cookies – a point on which there is no dispute in this dossier – this inherently implies at least a direct choice, aside from the potential granularity for consenting to the placement of specific types or categories of cookies. As the complaining party notes, in the present cases on the four contentious websites, there is no legal reason why the refusal of cookies should not occur in the same simple manner.42 A different ruling would disregard the requirement of “free” and “unambiguous” consent necessary to obtain valid consent.
113. The defendant's argument that the complainant lacks an interest simply because he granted his consent is not tenable. Just because consent is given does not mean that the consent meets all the criteria for valid consent and thus constitutes valid consent under Article 4.11 in conjunction with Article 7.1 GDPR.
114. The defendant’s argument that the norm is unclear and that there is no reference in the legislation to the fact that an “all refuse” option must be present at the first informational level in the contentious cases is not the least bit tenable. This also applies to the argument that the situation adheres to the guidelines of the EDPB regarding consent, solely because those guidelines do not specify (with the incorrect implication that the guidelines do not require) the refuse option at the first ‘layer’ of the cookie banner.
115. The Dispute Chamber further clarifies its powers regarding this issue.
116. Article 8(3) of the Charter of Fundamental Rights of the European Union states that independent authorities must oversee compliance with the right to the protection of personal data. This provision underlines the importance of independent control and forms the basis for the establishment of supervisory authorities. Under Article 57.1 GDPR, supervisory authorities are authorized to enforce the GDPR.43 Under Article 4 DPA Act, the GBA is competent for this enforcement.44 Under Article 32 DPA Act, the Dispute Chamber is the administrative dispute body of the GBA; it decides on a case-by-case basis.
117. Since the entry into force of the Act of December 21, 2021, implementing the European Code for electronic communications and modifying various provisions concerning electronic communications on January 10, 2022 (“WEC”), the GBA is now competent under Belgian law for overseeing the provisions regarding the placement and use of cookies (i.e., “the storage of information or obtaining access to information that is already stored in the end device of a subscriber or a user”). This law made several amendments to the WEC. Specifically, Article 256 of the Act of December 21, 2021, repeals Article 129 WEC and transfers this provision to the Act of July 30, 2018, concerning the protection of natural persons regarding the processing of personal data (PD Act).45 Given that the GBA has residual authority to oversee the provisions of the PD Act, this confirms the material competence of the GBA regarding the placement and use of cookies.
118. The European legislator explicitly chose, in light of the increasingly digital society, to assign the enforcement of the GDPR to an authority that connects with similar authorities in...
valid consent under Article 6.1(a) GDPR.
Position of the Complainant
The complainant emphasizes once again that the EDPB Cookie Banner Taskforce Report also confirms that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is deemed a violation by a large majority of data protection authorities. […] As previously mentioned in the complaint, the fact that this is the prevailing legal opinion is also supported by guidelines from national supervisory authorities in France, Germany, Denmark, and Finland. The guidelines from the Netherlands and Austria can also be added to this. The GBA explicitly prescribes that: “A ‘Manage Settings’ button is therefore not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies constitutes a violation of the principle of due process in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first information layer of the defendant’s cookie banners constitutes a violation does not solely rely on the application of supervisory guidelines, but rather constitutes a direct and concrete application of the legislation (in accordance with the prevailing legal opinion). The valuing of a one-time approved action plan or individual (previous) decisions of the Dispute Chamber in specific cases, where the absence of misleading button colors was not the subject, cannot be attributed the value of an established legal opinion. […] It has also been confirmed by the Markets Court that the decisions of the Dispute Chamber of the GBA do not have precedent effect.
Position of the Defendant
102. The defendant’s position in its synthesis conclusion is as follows (the Dispute Chamber summarizes):
4th Argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not invalidate consent
• Firstly, the defendant states that the alleged violation is “without purpose since the complainant gave his consent.” In this context, the defendant asserts that as soon as a data controller has obtained the consent of the data subject, there exists a legal basis for lawful processing of the data; the defendant points out that the complainant granted his consent.
• Secondly, the defendant states in a subordinate manner that there is no obligation to place the ‘refuse’ option at the first information layer in any legislation. The defendant claims that valid consent can be obtained “even when there is no ‘refuse’ option at the first layer of the cookie banner.”
• Thirdly, the defendant asserts that the consent requirements under Article 7 GDPR have indeed been respected. The defendant argues that Article 7 GDPR does not show a requirement for a ‘refuse’ option in the first informational layer of the cookie banner. The defendant points out that Article 7.3 GDPR pertains to the withdrawal of consent: “The GDPR does not impose similar requirements for refusing consent at a time when consent has not yet been granted.” Furthermore, the defendant emphasizes that Article 4.11 GDPR does not impose a requirement for having a ‘refuse’ option at the first layer of the cookie banner: according to the defendant, the expression of will can take place freely, specifically, informed, and unequivocally. In any case, the expression of will occurs in an active manner.
• Fourthly, the defendant states that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant refers specifically to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, particularly in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implied consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant claims that the cookie banner is in accordance with the EDPB guidelines on consent. The defendant argues that they do not see any requirement for a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant asserts that the cookie banner is in accordance with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, does not entail the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not contain any stipulation regarding what buttons must be included at the first information layer of a cookie banner.”
• Seventhly, the defendant argues that merely because the practice is not in accordance with “policy documents of authorities” does not mean there is a violation. The defendant points out that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that based on the EDPB Cookie Banner Taskforce report, some authorities believe that the absence of an ‘All refuse’ option at the same level as an ‘All accept’ option does not constitute a violation of Article 5(3) of the ePrivacy Directive, indicating to the defendant that there is no consensus on this matter among European supervisory authorities. Moreover, the defendant argues that the GBA is “inconsistent” in the information it provides to the public, highlighting the differences in cookie-related pages on the “citizen” section of the GBA website versus the “professional” page. The defendant notes that the information on the “professional” website is unclear, linking to non-professional pages on the GBA website. The defendant had these inconsistencies recorded by a bailiff on November 27, 2023, and submits these findings as evidence.
• Finally, the defendant responds to several points raised in the complainant’s conclusion.
Assessment by the Dispute Chamber
103. Article 10/2 PD Act stipulates: In implementation of Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communications and without prejudice to the application of the Regulation and this Act, the storage of information or the obtaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed under the condition that: 1° the concerned subscriber or user, in accordance with the provisions laid down in the Regulation and this Act, receives clear and precise information about the purposes of the processing and his rights based on the Regulation and this Act; 2° the subscriber or end-user has given consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the terminal equipment of a subscriber or end-user when the sole purpose is to carry out the transmission of a communication via an electronic communications network or to provide a service explicitly requested by the subscriber or end-user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)
104. The European Data Protection Board (EDPB)26, just as the European Court of Justice (ECJ)27, has stated that the requirements applied to the notion of “consent” in the ePrivacy Directive must comply with the requirements for consent under the GDPR. This is particularly the case for those cookies that involve data processing: as the EDPB Cookie Banner Taskforce report of January 17, 2023 states, such processing suggests that at the moment of granting consent, the consent must meet the conditions of the GDPR.
105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed, and unambiguous expression of the data subject's wishes, by which they indicate agreement to the processing of personal data relating to them;
106. Article 6(1) GDPR specifies: Processing shall be lawful only if and to the extent that at least one of the following applies:
107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer. Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.
108. Consent is not “free” when the data subject who does not wish to grant their consent is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be deemed freely given if the data subject has no genuine or free choice.” A choice implies that there is at least an equal option to opt for a different action (not consenting) in the same manner as the action for which the choice is offered (consenting).
109. The fact that consent cannot be freely granted is sufficient on its own to determine that it cannot be validly offered as a choice and cannot be obtained.
110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “accept all” option in that layer, but in any case, with less clarity compared to the “agree and close” option in the first layer, and is accompanied by a number of other buttons displayed beneath in a similar, equally significant manner.
111. This striking color usage in the first layer of the contentious cookie banners, where the button representing the “accept all” option is highlighted in a more pronounced color, reflects a choice aimed at leading the data subject to grant consent for cookies to be placed.
112. The EDPB Cookie Banner Taskforce report indicates that regarding color use, no general standard can be imposed on data controllers, but the assessment should be made on a case-by-case basis.
113. In the present cases, the defendant uses various standout colors that likely induce a deceptive sense of comfort for the data subject:
a. On the De Standaard website, the “agree and close” option is presented prominently in a dark red color as the most data-collecting option, while alternatives require clicking on a light gray banner against a white background.
b. On the Het Belang van Limburg website, the “agree and close” option is shown prominently in dark black, while alternatives require clicking on a light gray banner on a white background.
c. On the Het Nieuwsblad website, the “agree and close” option is shown prominently in dark blue, while alternatives require clicking on a light gray banner against a white background.
d. On the Gazet van Antwerpen website, the “agree and close” option is shown prominently in bright red, while alternatives require clicking on a light gray banner against a white background.
114. Interfaces designed with deceptive comfort as in this case undeniably steer a data subject to choose the most data-collecting options, notably because the person is unaware of how many more steps they must undertake before they can choose not to allow cookies (i.e., not to consent). The data subject knows that they choose the “path of least resistance” with this comfortable option in the first layer of the cookie banner – without this necessarily reflecting their actual informed preference for granting consent.
115. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer employed in the second informational layer (after an adjustment during the procedure) is evidently not conducive. The assessment at hand pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, with alleged violations stated) is in no way limited to the second layer of the cookie banner.
116. The argument that the involved complainant did grant consent is also not favorable, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent has been granted is not ipso facto sufficient to state that consent has been validly granted.
117. The argument that there is “no prohibition” against using different colors is correct in a formal sense. However, the Dispute Chamber has already laid out above that this does not prevent the choice of specific colors from violating the duty of propriety in light of activities involving the processing of personal data, and that the unambiguous nature of consent cannot be ensured.
118. The argument that the Dispute Chamber has approved an action plan from an industry organization that would directly relate to the present contentious situations is likewise not a favorable argument. As previously mentioned, the decisions of the Dispute Chamber have no precedent value. Moreover, the entity referred to by the defendant is completely foreign to the current procedure.
119. Furthermore, it is important to note that under Articles 5.2 and 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for taking appropriate technical and organizational measures accordingly. The defendant does not contest its responsibility for the substantive evaluation of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly clear that it misses its target in a formal sense.
120. The Dispute Chamber does not dispute – as the defendant argues – that the guidelines of the supervisory authority and the European Data Protection Committee do not have the force of law. However, this does not mean that they do not have authoritative value (or should not), at least because Article 57.1(f) GDPR tasks the GBA with informing data controllers of their obligations under the regulation, just as Article 70.1(u) mandates the EDPB to facilitate cooperation among supervisory authorities and formulate guidelines, best practices, and recommendations as needed to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).
121. For all these reasons, it is evident that the misleading colors used on the first layer of the cookie banner constitute a violation of the duty of propriety in the sense of Article 5.1(a) GDPR. Since consent is not unambiguous, it cannot be claimed that valid consent is obtained.
7.3 AVG als ongegrond, aangezien de klager geen bewijs heeft geleverd dat er op het moment van de klacht een gerechtvaardigd belang zou zijn geclaimd of toegepast.
Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's websites does it require the same simplicity to withdraw consent as it does to accept cookies. Accepting all cookies occurs with a simple click (or two clicks if the ‘More information’ button is pressed), while withdrawing consent is not possible with a single click. Instead, website visitors must go to a specific section of the website to withdraw cookies. At the very bottom of the page, there is a link labeled ‘Manage Privacy Preferences’ buried among an extensive list of various other links. If clicked, the website visitor can then opt to ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, a data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since this requirement is not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Moreover, the simplicity of withdrawing consent is indeed a requirement for the consent granted to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also for compliance with Articles 10/2 PD Act and 125 §1, 1° WEC). The EDPB has confirmed this in its guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the GDPR requirements, then the consent mechanism of the data controller is not compliant with the GDPR.’ […] (emphasis added) In the EDPB Cookie Banner Task Force report, it is also emphasized that the withdrawal of consent for cookies must be as easy as granting it […] Furthermore, the EDPB guidelines on consent clarify: ‘When consent is obtained through electronic means, by a single mouse click, swipe, or keystroke, the data subject should be able to withdraw this consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, this same requirement is explicitly reiterated […] Therefore, the defendant must provide the complainant the opportunity to withdraw his consent with a single mouse click. When a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, among an extensive list of other links, at the very bottom of the defendant's website pages – requiring extensive scrolling – clearly does not meet these requirements. A floating, permanently visible ‘hoover’ button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible – once the ‘Manage Privacy Preferences’ button is located and clicked – to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This shows that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with the applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for quite some time). Furthermore, with the changes made by the defendant, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”
Position of the Defendant
148. The position of the defendant is as follows (the Dispute Chamber summarizes):
6th Argument (subordinate): The withdrawal of consent does not violate Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125 §1, 1° WEC
a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest on the part of the complainant concerning the alleged use of legitimate interest. The defendant claims that no cookies have been placed in this manner regarding the complainant, since the complainant granted consent for placing cookies.
b. Secondly, the defendant asserts “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer reference legitimate interest. The defendant notes that during the same period as the settlement procedure, a number of adjustments regarding the placement of cookies based on legitimate interest were prepared (and ultimately implemented on December 22, 2023).
c. Thirdly, the defendant claims “more subordinately” that there is no breach of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent that it contends that legitimate interest can never be a legal basis for cookies.
d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant notes: “[…] if the exception to the rule (consent) under Article 10/2 PD Act applies, then it is self-evident that in such a case the rule (consent) itself does not apply.”
e. Fifthly, the defendant replies to the conclusion of the complainant regarding this matter.
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning transparency of the cookie banner
a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant notes that all references to legitimate interest were removed on December 22, 2023.
b. Secondly, the defendant asserts “subordinately” that there is no violation of Article 5.1(a) GDPR. The defendant considers the allegation based on Article 7.3 GDPR to be unfounded, as the complainant granted consent, and states that there is “no prohibition” on using different colors to obtain consent in cookie banners.
Assessment by the Dispute Chamber
149. Firstly, the focus must be on the situation regarding the withdrawal of consent at the time of the complaint (the ‘old’ situation), before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to the situation that after clicking on the ‘Manage Privacy Preferences’ link on the contentious websites, consent could be withdrawn with a single click (“All Refuse”).
150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (according to the defendant's wording) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant expressly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.”
151. Therefore, in this ‘old’ situation, withdrawing consent was clearly not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the withdrawal of consent is a relative concept – meaning that it must be as “easy” to withdraw as it is to grant – does not diminish its significance. Such an understanding as a relative concept in legal terms may well be accurate, but in relative circumstances, the “number of clicks” the defendant refers to is clearly relative to more clicks than the single click for the “agree and close” button on the cookie banner.
152. Regarding the ‘new’ situation, following the defendant's adjustments during the procedure: in the new situation, withdrawing consent after clicking on the ‘Privacy Preferences’ link on each webpage of every contentious news website can indeed be done with a single click (“All Refuse”). The options provided in the cookie banner are identical to those offered at the second layer of the cookie banner for granting consent: this practice does not give rise – based on the available documents in the dossier – to establishing a breach.
153. The website does not require a mandatory “permanently visible” button for properly withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites under Article 7.3 GDPR, it aligns with the spirit of the legal provision. A data subject can reasonably expect the cookie settings to be found at the bottom of a webpage. The individual can subsequently take note of the information regarding the withdrawal of consent and do so with a single button.
154. As the EDPB pointed out in the report from the Cookie Banner Taskforce, it is sufficient that a link on the website is available and placed in a “visible and standardized location.”55 Placing a direct link at the bottom of every webpage leading to a banner with a single button to withdraw consent meets this requirement. The EDPB has also emphasized in the same report that legislation only requires easily accessible solutions to be provided for withdrawing consent, but that a “specific withdrawal solution” is not mandated, and particularly the establishment of a hovering solution cannot be imposed on a data controller within the current legal context.56
155. The defendant rightly stresses that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this sense, for the proper functioning of a website – which is also in the interest of the data subject – it is not expected that the withdrawal of consent occurs in precisely the same manner when this entails that they (in the most literal sense) must do so ‘at all times’ in that way.
156. In this reasoning, a “hoover” button (the proposal put forth by the complainant) would not suffice, as such a “hoover” button does not provide exactly the same visual representation as a cookie banner (for granting consent) for withdrawing consent at any time during the website visit. Such a requirement would impose a blocking effect on the internet user, which is manifestly unreasonable.
57. Regarding the ‘old’ situation, a breach must indeed be established regarding Article 7.3 GDPR. Given that there is no evidence that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides on this point to issue a reprimand to the defendant. No other coercive or punitive measures are deemed appropriate in this regard.
II.3.4. Use of legitimate interest for placing cookies that require consent and alleged breach of transparency and information obligations
Position of the Complainant
158. The position of the complainant is as follows: “When the complainant visited the websites, the websites of the defendant [respondent] contained a button for legitimate interest in the second layer of the cookie banner that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Insights can be derived about the audience that has viewed the advertisements and content. Data can be used to build or improve user experience, systems, and software.” This “legitimate interest button” for conducting such “measurements” was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Therefore, the defendant [respondent] presents that it has a legitimate interest (Art. 6(1)(f) GDPR) for conducting “advanced measurements” if the complainant does not grant consent (Art. 6(1)(a) GDPR). Legitimate interest thus serves as a ‘backup’ basis for the defendant. In this way, the defendant unlawfully shifts from an "opt-in" system based on Article 6(1)(a) GDPR to an "opt-out" system based on Article 6(1)(f) GDPR. Legitimate interest was and is not a valid legal basis for the placement and reading of non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.
159. It is correct that other bases under Article 6 GDPR can be used in very limited cases for the placement and reading of cookies. However, this only applies to strictly necessary cookies and solely for the purpose of sending communication via an electronic communications network (Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). Conducting “advanced measurements” by the defendant does not fall under this strict exception. Also, the further processing of personal data obtained via cookies for which consent is required must fundamentally be based on consent, as also confirmed by the EDPB and the EDPS. […] This also applies to further processing of data for conducting “advanced measurements” by the defendant. Moreover, it is misleading for the defendant to present as if consent is the basis for processing while, if this consent is not granted, the basis is switched to legitimate interest without respecting the complainant's choice to refuse consent. This violates the principles of legality, propriety, and transparency (Article 5(1)(a) GDPR). This conduct is contrary to Article 6 GDPR and Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act, and therefore unlawful. The EDPB guidelines on consent explicitly state that this conduct by the defendant is unfair (Article 5(1)(a) GDPR): “It is important to note that if a data controller chooses to base part of the processing on consent, it must be willing to respect the choices regarding that consent and to stop that part of the processing if a person withdraws their consent. To present as if data is processed based on consent while, in reality, another legal basis is relied upon would be fundamentally unfair to data subjects. [...] In other words, a data controller cannot substitute consent for other legal grounds. For example, it is not permitted to resort to the legal ground of ‘legitimate interest’ after the validity of consent becomes problematic.” […] (emphasis added)
160. Furthermore, there was no information about the alleged legitimate interest in the cookie banner, nor was there an option to object at the first level of the cookie banner. The only opportunity to object and even to receive information about such claimed legitimate interest was hidden in the second layer of the cookie banner. The text “Manage Preferences” at the first informational level of the cookie banner did not lead to this information or the opportunity to object. More specifically, within the second informational layer, one needed to click on the plus sign (+) next to “Advanced Measurement” to convert the defendant's “Legitimate Interest” into “Not Agree.” Thus, objecting to and being informed about the defendant's alleged legitimate interest required the website visitor to click multiple times, which people do only 2% of the time in practice. This is in violation of Article 21(4) GDPR and Article 12(2) GDPR, as both the fact that the defendant based its processing on the alleged legitimate interest and the possibility to object to this alleged legitimate interest were not explicitly brought to the attention of the data subject. This conduct also did not align with the principle of transparency (Article 5(1)(a) GDPR). Moreover, it is incomprehensible for the defendant to assume that if a data subject does not grant consent for the related “advanced measurement” processing, they would also not raise an objection against the processing under Article 21 GDPR. However, the cookie banner seemed to assume that data subjects must express the same desire not to have their data processed twice: once as a refusal of consent and then as an additional objection against the same processing activity (which constitutes a "double opt-out"). Considering the above, the defendant violated the principles of legality, propriety, and transparency as laid out in Article 5(1)(a) GDPR. The defendant has thankfully already removed references to “legitimate interest” from its cookie banners. The inclusion of a “legitimate interest” in the cookie banners has thus proven not necessary for the defendant and can easily be adjusted, indicating that the defendant previously consciously chose to include a reference to legitimate interest. This also shows that the defendant evidently believes that the previous cookie banner did not meet the applicable legal requirements. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibilities under data protection legislation by remedying GDPR violations post-complaint or during an investigation. This does not negate the fact that the violation definitely occurred (for a considerable time).
Position of the Defendant
159. The defendant's defense is as follows (the Dispute Chamber summarizes):
7th Argument (subordinate): The reference to ‘legitimate interest’ does not constitute a violation of Article 6.1(f) GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest concerning the alleged use of legitimate interest. The defendant asserts, among other points, that no cookies were placed in this manner with respect to the complainant, since the complainant gave consent for placing cookies.
b. Secondly, the defendant argues “subordinately” that the complaint is without purpose because there is no longer any reference to legitimate interest since December 23, 2023. The defendant states that references to legitimate interest were removed on December 22, 2023.
c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR and that the complaint is unfounded to the extent it claims that legitimate interest can never serve as a legal basis for cookies.
d. Fourthly, the defendant contends “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant indicates: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that, in such a case, the rule (consent) itself is not applicable.”
e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning the transparency of the cookie banner
a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.3 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.
Assessment by the Dispute Chamber
134. As the EDPB clarifies in its guidelines concerning misleading design patterns within social media platform interfaces, in the case of a potentially misleading design, the principle of propriety contained in Article 5.1(a) GDPR can be applied to assess whether a violation of legislation has occurred.
135. On all four contentious websites, the first ‘layer’ of the cookie banner is displayed nearly identically to that on the De Standaard newspaper's website – albeit with different colors, depending on the specific contentious news website:
Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) to store and/or access information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, product development, social media functionalities, personalized ads, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you consent to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of each page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, advertisement and content measurement, audience insights, and product development. Information stored and/or accessed on a device. Refuse All. Agree to All +
136. The use of certain more prominent colors on the four contentious websites, which primarily aims to encourage the data subject to grant consent for cookies, leads the Dispute Chamber to assert that the duty of propriety under Article 5.1(a) GDPR has been violated, thereby jeopardizing the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR. Consent cannot be unambiguously obtained when a data subject is “guided” to take a certain action.
137. It is evident that the striking color usage in the first layer of the contentious cookie banners, wherein the button that represents the accept-all option (“agree and close”) is highlighted in more pronounced color contrast, reflects a certain choice that leads to more intrusive processing of personal data due to the placing of cookies.
138. The EDPB Cookie Banner Taskforce report states that regarding color use, no general standard can be imposed on data controllers, but the assessment should be conducted on a case-by-case basis.
139. In these cases, the defendant uses various prominent colors that likely induce a deceptive sense of comfort for the data subject:
a. On the De Standaard website, the “agree and close” option is presented in dark red as the most data-collecting option, while alternatives must be clicked through a light gray banner on a white background.
b. On the Het Belang van Limburg website, the “agree and close” option is presented in dark black as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
c. On the Het Nieuwsblad website, the “agree and close” option is presented in dark blue as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
d. On the Gazet van Antwerpen website, the “agree and close” option is presented in bright red as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
140. Interfaces designed in this way create an undeniable tendency for a data subject to choose the most data-collecting options, particularly since individuals may not even know how many steps they must undertake before they can opt out of cookie placements (i.e., not grant consent). The data subject is aware that this comfortable option at the first layer of the cookie banner allows them to take the “path of least resistance” – without this necessarily reflecting their genuine informed preference for granting consent.
141. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer present in the second informational layer (after an adjustment during the process) is clearly not helpful. The assessment here is about the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is in no way limited to the second layer of the cookie banner.
142. The argument that the involved complainant granted consent is also not helpful, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent was given is not, by itself, sufficient to assert that consent has been validly granted.
143. The argument that there is “no prohibition” against using different colors is accurate in a formal sense. However, the Dispute Chamber has already elaborated above that this does not prevent the selection of certain colors from violating the duty of propriety in terms of personal data processing activities, and that the unambiguous nature of consent cannot be guaranteed.
144. The argument that the Dispute Chamber approved an action plan from an industry organization that would directly relate to the present contentious situations is also not a useful argument. As noted earlier, the decisions of the Dispute Chamber have no precedential value. Additionally, this refers to an entity that is entirely unrelated to the current procedure.
145. Furthermore, the Dispute Chamber emphasizes that according to Article 5.2 and Article 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for implementing appropriate technical and organizational measures accordingly. The defendant does not dispute its responsibility for the substantive assessment of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly evident that it misses its intended target in a formal sense.
146. The Dispute Chamber does not dispute – as the defendant contends – that the guidelines of the supervisory authority and the European Data Protection Board do not carry the force of law. However, this does not mean they should lack authoritative value, at least because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations under the regulation, just as Article 70.1(u) establishes the EDPB's role to enable cooperation among supervisory authorities and formulate guidelines, best practices, and recommendation to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).
147. For all these reasons, it is evident that misleading colors are employed on the first layer of the cookie banner, which constitutes a violation of the duty of propriety as per Article 5.1(a) GDPR. Consequently, since consent is not unambiguous, it cannot be said to be validly obtained.
penalty must work towards compliance and should not merely serve punitive or deterrent purposes. Thus, the Dispute Chamber believes that a fresh and efficient approach to enforcing compliance with data protection laws, especially in the context of rapidly evolving technology, does not necessarily require prior notification to the defendant before imposing a penalty.
121. The authority must, therefore, ensure compliance with not only legal but also technological developments. The legislator intended for the interpretation of a factual situation to be evaluated by an authority in this context.
122. The fact that certain legal or technological developments impact a specific decision-making practice is a logical result of this approach – and is also taken into account in the context of sanctioning in this case (infra, section III.1.1.). An open norm does not prevent the imposition of measures, nor does it preclude the imposition of an administrative fine, as increasing technological developments (at a fast pace) compel proactive, sufficient, and proportional enforcement in new circumstances.
123. Furthermore, the defendant's argument that Article 7 GDPR does not explicitly require a ‘refuse’ option also refers back to the previous arguments presented in the context of the open norm. The Dispute Chamber assesses the legality of consent according to the definitions and conditions assigned to consent by the legislator: this pertains to consent under Article 10/2 PD Act and Article 6.1(a) GDPR, as defined in Article 4.11 GDPR.
124. Regarding the defendant's argument that the cookie banner is in compliance with previous decision-making practice of the Dispute Chamber, it should be noted that the decisions of the Dispute Chamber do not have precedential value. Although this argument may be relevant regarding potential measures (particularly the imposition of sanctions), the legal assessment that corresponds to the most accurate legal viewpoint – based on the most recent case law and the viewpoint of the EDPB – cannot be bypassed solely based on this argument.
125. The argument that the Dispute Chamber approved an action plan from a sector organization that would relate directly to the present contentious situations is likewise not a relevant argument. As noted before, the decisions of the Dispute Chamber do not carry precedential weight. Moreover, this refers to an actor that is entirely unrelated to the current procedure.
126. Additionally, it is noteworthy that under Articles 5.2 and 24 GDPR, it is the responsibility of the data controller to ensure compliance with the application of the GDPR and to take appropriate technical and organizational measures accordingly. The defendant does not contest in any way its processing responsibility for the substantive evaluation of its processing activities, therefore, even if this argument lacks substance, it is clear that it fails in a formal sense.
127. The Dispute Chamber does not contest – as the defendant argues – that the guidelines from the supervisory authority and the European Data Protection Board do not have the force of law. However, this does not imply they should lack authoritative value, especially because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations, and Article 70.1(u) enables the EDPB to foster cooperation among supervisory authorities and, if necessary, formulate guidelines, best practices, and recommendations to ensure consistent application of the GDPR (Article 70.1(d) GDPR).
128. For all these reasons, it is clear that misleading colors are used on the first layer of the cookie banner, which constitutes a violation of the principle of propriety under Article 5.1(a) GDPR. Since consent cannot be unambiguously obtained, it cannot be claimed that valid consent has been provided.
II.3.2. Use of misleading button colors
Position of the Complainant
132. The argument of the complainant is as follows: “The button ‘Agree and Close’ at the first level of the cookie banners on the defendant's websites is always prominently colored (red, blue, or black with white text) against a white background. Meanwhile, the ‘More Information’ button has a color that almost blends into the background color of the cookie banners (light gray with dark gray text against a white background). By explicitly ‘highlighting’ the ‘Agree and Close’ button compared to the option to refuse cookies, website visitors, such as the complainant, are explicitly encouraged to click on ‘Agree and Close’. Research has also shown that when the consent button has a (much) more prominent color than the button to refuse consent, consent is granted 1.7 times more often than when both buttons are the same color. As a result, consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), rendering the consent from the complainant invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 PD Act), meaning the defendant cannot demonstrate that the complainant has consented to the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR). As already emphasized in the complaint, the EDPB Cookie Banner Taskforce report also states that the contrast and colors used in the cookie banner must not be “obviously misleading,” as this leads to “unintended” and therefore invalid consent. [...] According to guidelines from various supervisory authorities, including the Greek, Austrian, and Czech authorities, it is explicitly stated that data controllers may not use misleading button colors that encourage website visitors to click on “Agree and Close”.
Assessment by the Dispute Chamber
135. The use of certain more striking colors on the four contentious websites, which has as its primary reason to encourage the data subject to give consent to the placement of cookies, leads the Dispute Chamber to assert explicitly that the duty of propriety under Article 5.1(a) GDPR has been violated and also jeopardizes the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR.
136. It is clear that the prominent color usage in the first layer of the contentious cookie banners, where the button depicting the accept-all option (“Agree and Close”) receives the most prominent color in a more distinct contrast, reflects a choice aimed at encouraging the data subject to grant consent to place cookies.
137. The EDPB Cookie Banner Taskforce report states that regarding color usage, no general standard can be imposed on data controllers; rather, the assessment must be made on a case-by-case basis.
138. In these cases, the defendant employs various striking colors that likely induce a deceptive sense of comfort for the data subject:
a. On the De Standaard website, the “agree and close” option is prominently displayed in dark red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
b. On the Het Belang van Limburg website, the “agree and close” option is prominently displayed in dark black as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
c. On the Het Nieuwsblad website, the “agree and close” option is prominently displayed in dark blue as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
d. On the Gazet van Antwerpen website, the “agree and close” option is prominently displayed in bright red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background.
139. Interfaces designed in this manner undoubtedly lead a data subject to select the most data-collecting options, especially since the individual may not be aware of how many additional steps they must undertake before they can choose not to allow cookies (i.e., not consenting). The data subject is aware that with the comfortable initial option in the cookie banner, they are taking the “path of least resistance” – without it necessarily reflecting their authentic informed preference for granting consent.
140. The argument from the defendant that the complaint regarding this point is “without purpose” because the color usage has changed in the second informational layer (after an adjustment during the procedure) is clearly not assisting. The evaluation in question pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s assessment in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is not limited to the second layer of the cookie banner.
141. The argument that the involved complainant did grant consent is also not relevant, as the granting or refusal of consent does not obstruct the assessment of the propriety of processing. Additionally, the mere fact that consent has been granted is not, by itself, sufficient to assert that consent has been validly granted.
142. The defendant should indeed not employ misleading colors, an aspect that constitutes a violation of the duty of propriety as expressed in Article 5.1(a) GDPR. The presence of such deceptive designs makes it unfeasible to acquire valid consent, which is a legal requirement.
---
This concludes the translation of your legal text. If you have more text or require further assistance, please let me know!
a valid consent in the sense of Article 6.1(a) GDPR.
II.3.3. Withdrawal of Consent in Accordance with Article 7.3 GDPR
Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's [respondent's] websites is it as easy to withdraw consent as it is to accept cookies. Accepting all cookies occurs with one simple click (or two clicks if the ‘More Information’ button is pressed), while withdrawing consent is not possible with one click. Instead, website visitors must navigate to a specific section of the website to withdraw cookies. At the very bottom of the page, hidden among an extensive list of various other links, is a link labeled ‘Manage Privacy Preferences’. When clicked, the website visitor can choose ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since the requirements of Article 7 GDPR are not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Additionally, the ease of withdrawing consent is indeed a requirement for the consent to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also regarding whether the requirements of Article 10/2 PD Act and Article 125§1, 1° WEC are met). The EDPB has confirmed this in the guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the requirements of the GDPR, then the data controller's consent mechanism does not comply with the GDPR.’ […] (emphasis added) The EDPB Cookie Banner Task Force report also emphasizes that the withdrawal of consent for cookies must be as easy as granting it […] Also, in the EDPB guidelines on consent, it is expressly clarified: ‘When consent is obtained via electronic means, through a single mouse click, swipe, or keystroke, the data subject must be able to withdraw that consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, the same requirement is reiterated […] Consequently, the defendant must provide the complainant the ability to withdraw consent with a single mouse click. Now that a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, buried among an extensive list of other links at the very bottom of the defendant's website pages—which requires extensive scrolling—does not meet these requirements. A hovering, permanently visible (hoover) button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible—once the ‘Manage Privacy Preferences’ button is found and clicked—to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This indicates that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for a considerable time). Moreover, with the changes the defendant has made, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”
Position of the Defendant
148. The defendant's position is as follows (the Dispute Chamber summarizes):
6th Argument (subordinate): The withdrawal of consent does not constitute a violation of Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
a. Firstly, the defendant asserts “primarily” that there is a lack of sufficient personal interest on the complainant’s part concerning the alleged use of legitimate interest. The defendant argues that no cookies have been placed in this manner concerning the complainant, as the complainant granted his consent for the placement of cookies.
b. Secondly, the defendant maintains “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer refer to legitimate interest. The defendant notes that during the same period as the settlement procedure, several adjustments related to the placement of cookies based on legitimate interest were prepared (and ultimately carried out on December 22, 2023).
c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent it contends that legitimate interest can never serve as a legal basis for cookies.
d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant argues: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that in such a case, the rule (consent) itself does not apply.”
e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR regarding the transparency of the cookie banner
a. Firstly, the defendant asserts “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.4 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.
Assessment by the Dispute Chamber
149. The focus must first be on the situation before withdrawing consent at the time of the complaint (the ‘old’ situation) and before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to a scenario where the withdrawal of consent after clicking on the ‘Privacy Preferences’ link on the contentious websites can now be carried out with one click (“All Refuse”).
150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (as stated by the defendant) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant explicitly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.”
151. Therefore, in this ‘old’ situation, withdrawing consent was evidently not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the ‘withdrawal’ of consent is a relative concept—such that it must be “as easy” to withdraw as it is to grant—does not detract from this. Such a classification as a relative concept in legal terms may be accurate, but in relative circumstances, the “number of clicks” the defendant speaks of is clearly referred to as more clicks than the single click of the “agree and close” button on the cookie banner.
152. Regarding the ‘new’ situation, after the defendant's adjustments during the procedure: in this new scenario, withdrawing consent after clicking on the ‘Manage Privacy Preferences’ link on every webpage of the contentious news websites can indeed now be done with a single click (“All Refuse”). The options presented in the cookie banner correspond to those offered at the secondary layer of the cookie banner when granting consent: this practice does not provide a basis—based on the documents presented in the dossier—for establishing a violation.
153. The website does not necessitate a mandatory “permanently visible” button for appropriately withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites according to Article 7.3 GDPR, it aligns with the intent of the legal provision. A data subject can reasonably expect cookie settings to be found at the bottom of a webpage. Consequently, the individual can then take note of the information regarding the withdrawal of consent and do so with one button.
154. As the EDPB has indicated in the Cookie Banner Taskforce report, it is sufficient that there is a link available on the website placed in a “visible and standardized location.” The placement of a direct link at the bottom of every webpage leading to a banner where consent can be withdrawn with one button complies with this wording. The EDPB has also emphasized in the same report that legislation merely requires easily accessible solutions for the withdrawal of consent to be offered, but does not indicate that a “specific withdrawal solution” must be implemented, nor can the establishment of a hovering solution be imposed on a data controller within the current legal context.
155. The defendant correctly emphasizes that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this respect, for the proper functioning of a website—which is also in the interest of the data subject—it is not reasonable to expect the withdrawal of consent to occur in exactly the same manner when this implies that they (in the most literal sense) must always do so in that way.
156. In this reasoning, a “hoover” button (the proposal presented by the complainant) would not suffice either since such a “hoover” button does not present the exact same visual representation as a cookie banner (for granting consent) for withdrawing consent throughout the entirety of the website visit. This would impose a blocking effect on the internet user, which is evidently unreasonable.
157. Regarding the ‘old’ situation, a breach must indeed be established concerning Article 7.3 GDPR. Given that there is no indication that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides at this point to issue a reprimand to the defendant. No other coercive or penal measures are deemed appropriate in this regard.
II.3.4. Use of Legitimate Interest for Placing Cookies That Require Consent and Alleged Violation of Transparency and Information Obligations
Position of the Complainant
158. The position of the complainant states: “When the complainant visited the websites, the defendant's [respondent's] websites in the second layer of the cookie banner contained a legitimate interest button that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Data can be used to derive insights regarding the audience that viewed the advertisements and content. This data can be used to build or improve user experience, systems, and software.’ This ‘legitimate interest button’ for conducting such ‘measurements’ was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Thus, the defendant [respondent] implied that it has a legitimate interest (Article 6(1)(f) GDPR) for carrying out ‘advanced measurements’ if the complainant does not provide consent (Article 6(1)(a) GDPR). Legitimate interest serves as a ‘backup’ basis for the defendant. Consequently, the defendant unlawfully shifts from an “opt-in” system based on Article 6(1)(a) GDPR to an “opt-out” system based on Article 6(1)(f) GDPR. Legitimate interest cannot serve as a valid legal basis for placing and reading non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.
Assessment by the Dispute Chamber
159. The defendant admits that cookies were placed based on legitimate interest, of which at least some should have been placed based on consent in accordance with the ePrivacy Directive and its transposition into the PD Act. Cookies placed to carry out ‘advanced measurements’ regarding website usage for advertising purposes (at least concerning the analysis of the reach and efficacy of targeted cookies) are by definition not strictly necessary. Such cookies thus require, in any case, consent under Article 10/2 PD Act and also under Article 6.1(a) GDPR for the subsequent processing of personal data.
160. As the EDPB has emphasized in the report from the Cookie Banner Taskforce, the use or mention of legitimate interest as a legal basis in the cookie banner may also confuse users, who might believe they have to refuse twice to ensure their personal data is not processed. In this sense, the legal basis for placing a cookie should either be based on legitimate interest or on consent.
161. One cannot choose to present legitimate interest as a 'backup' legal ground in the absence of granted consent. This is not only little transparent regarding the data subjects whose consent is being requested, but it is also not permitted within the framework of Article 10/2 PD Act (as transposed from Article 5.3 ePrivacy Directive) and Article 6 GDPR. Both provisions require that the data controller implements a personal data processing activity based on a single legal ground. As the Dispute Chamber has already stated in multiple decisions, the EDPB emphasizes this in its guidelines on consent: Before beginning processing activities, it must be determined which of the six grounds apply for which specific purpose. It is important to note that if a data controller opts to base part of the processing on consent, it must be willing to respect the choices regarding that consent and stop that part of the processing if a person withdraws their consent. Presenting it as if data is processed based on consent while actually relying on another legal basis would be fundamentally unfair to the data subjects.
162. The Dispute Chamber believes it is not maintaining an overly stringent interpretation of what constitutes strictly necessary cookies. However, the legislator currently leaves no room for another interpretation and explicitly refers to a “strictly necessary” character (Article 10/2 PD Act). Ruling that cookies, such as certain analytical cookies – which are not strictly necessary for the proper functioning of the website – could be placed based on legitimate interest would not merely reflect a lenient attitude, but rather an interpretation that is contra legem. This situation is even more pronounced for cookies used for marketing purposes. The Dispute Chamber applies the applicable legal rules to the facts.
163. No independent verification—e.g., by the Inspection Service—has been conducted to ascertain which cookies were placed and to what extent. In any case, the defendant’s acknowledgment of the unlawful placement of cookies based on legitimate interest necessitates the reprimanding of the defendant: they may only place cookies based on legitimate interest as long as the cookies fall under the exception scenario under Article 10/2, paragraph two PD Act; since this was not the case in the past, it constitutes a violation of the aforementioned provision. The same goes mutatis mutandis for the subsequent personal data processing activities, which must be based either on Article 6.1(a) or Article 6.1(f) GDPR—not both provisions simultaneously or as interchangeable ‘backup’.
164. It is also irrelevant whether or not valid consent from the complainant in question was obtained; the mere fact that the defendant potentially does not request consent for the placement of such cookies, resulting in unlawful processing of personal data, suffices to establish the violation.
165. The fact that the decision to place such cookies lies partly in the hands of third parties (whether they are joint data controllers, data controllers, or processors in that processing process) is irrelevant. The defendant is responsible under Article 5.2 GDPR for ensuring that the placement of cookies and the processing of personal data resulting from the placement of cookies through its contentious websites occurs lawfully.
166. The elements of the complaint related to the transparency and information obligations, as well as those elements concerning (the facilitation of exercising) the right to object based on the placement of cookies founded on legitimate interest, are not further examined by this decision. The Dispute Chamber has not been presented with sufficient elements concerning the assessment of these alleged breaches.
167. The Dispute Chamber rules that the grievances asserted in the complaint—as rightly highlighted by the defendant—are overly broad, resulting in the defendant being unable to adequately defend itself based on the documents presented in the complaint or during the proceedings (for example, regarding the general reference to an alleged breach of “the principles of transparency, legality, and propriety”).
168. The Dispute Chamber establishes that the defendant violated Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR by conceding that cookies were placed based on legitimate interest while they did not fall within the exception provision under Article 10/2 PD Act before making adjustments to their website in this regard. Furthermore, the legitimate interest (also under Article 6.1(f) GDPR for subsequent processing) was used as a ‘backup’ when no consent (under Article 6.1(a) GDPR) was granted for the placement of cookies.
169. The defendant should not have (allowed) the placement of these cookies and has at least failed to investigate whether the cookies could be placed based on legitimate interest – while this falls under its responsibility as a data controller in terms of the lawfulness of its processing activities. For this reason, the Dispute Chamber will proceed to reprimand the defendant regarding this point.
170. The Dispute Chamber partially dismisses the complaint with respect to the grievances concerning the transparency and information obligations (specifically Articles 12.2 and 5.1(a) GDPR that are mentioned by the complaining party), as well as (the exercise of) the right to object (Article 21.4 GDPR is mentioned by the complaining party) due to the reasons mentioned above.
III. Measures and Immediate Enforceability
III.1. Orders
171. The Dispute Chamber finds it appropriate to issue two separate orders for each of the four contentious websites of the defendant due to the first two mentioned violations.
172. Order 1: The Dispute Chamber orders the addition of a refusal option on every layer of the cookie banner on each of the four contentious websites when an option to accept all (“agree and close”) is provided on the same layer, insofar as the accept-all option serves to grant consent within the meaning of Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR for the placement of cookies involving personal data processing.
173. Order 2: In placing buttons on the cookie layers in the context of obtaining consent for the placement of cookies on the defendant’s contentious websites, the buttons – and more specifically the colors and contrast of those buttons – must not be designed deceptively. The all-refuse option must be presented in an equivalent manner compared to the all-accept option, as it is currently shown on each of the four contentious websites. This does not preclude the defendant as the data controller from opting to display such buttons in approximately the same visible location, utilizing the same color and size of button and text display; it remains the data controller's responsibility to make the choices necessary to comply with its obligations under Articles 5.2 and 24 GDPR.
174. For each of the two orders, the defendant may take inspiration from the suggestions and examples provided by the GBA in its Cookie Checklist. However, it is up to the data controller to make the necessary technical and organizational choices in this regard. An illustrative image from the Checklist could potentially be relevant for following the orders:
---
Website
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse their placement, you can go to the next level by clicking “Settings.”
All Accept | Settings
Website
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse them, you can click the “All Refuse” button.
All Accept | All Refuse | Settings
---
175. Each of the two orders must be complied with for each of the four contentious websites, no later than the 45th day after notification of this decision. The defendant must provide a clear document to the Dispute Chamber and the complainant as part of compliance with the order; this document should reflect which adjustments have been made to each of the contentious websites to implement the two orders.
176. Should the Dispute Chamber find that the orders have not been fully or partially complied with from the 46th day after the decision, it will notify the defendant accordingly. Once the defendant receives this notification, the penalty (infra) will be activated for non-compliance relative to the aforementioned second or third circumstance.
177. A penalty of 25,000 EUR will apply for Order 1 per started day after the 45-day period expires, especially given the consideration that the defendant might weigh the decision not to comply due to its commercial impact. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.
178. A penalty of 25,000 EUR will apply for Order 2 per started day after the 45-day period expires, likewise considering the potential economic impact on the defendant of not complying with the order. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.
179. The penalty applies per contentious website of the defendant, with a potential total of 200,000 EUR per day for the defendant. This amount is deemed proportional considering the scale of the defendant's activities and the potential impact of the violations on the rights and freedoms of the data subjects.
180. The Dispute Chamber emphasizes that this amount is not intended as a punishment but as an effective means of ensuring compliance with the orders. The goal is to motivate the defendant to act quickly and fully comply with the imposed measures, taking into account the financial capacity of the company and the potential profits that could arise from non-compliance.
181. Should the defendant demonstrate that full compliance within the set timeframe is not possible despite all reasonable efforts, the defendant has the option to submit a reasoned request for an extension to the Dispute Chamber before the deadline expires.
182. The penalty will be imposed per day, with a maximum total of penalties amounting to 10,000,000 (ten million) euros.
III.3.4. Timeline for Compliance with Orders and Imposition of Penalties
183. Merely for the understanding of the parties and any other reader of the present decision, a timeline is presented regarding the execution of the decision. In case of any uncertainty between this visual representation and the text of this decision, the text of the decision shall prevail:
IV. Immediate Enforcement
184. The Dispute Chamber acknowledges, in the context of immediate enforcement, the request and argumentation of the defendant regarding: “10th Argument (subordinate): No immediate enforcement.” The defendant cites “special reasons” in this regard and refers to the case law of the Market Court, which states that an effective legal remedy can only occur “if the requesting party is not pressured to immediately pay a fine and/or comply with the orders of the contested decision.”
185. Therefore, the defendant poses the legitimate question of suspending immediate enforcement in this case, as this would place pressure on the parties within the context (of the outcome) of any appeal procedure.
186. The Dispute Chamber refuses the request for suspension of immediate enforcement for the following reasons.
187. Firstly, immediate enforcement is the standard scenario for the national legislator. The European legislator has granted authorities the power to take measures: it is therefore the authority that decides which (corrective) measure is most appropriate to implement or impose on the defendant.
188. The possibility of appealing against a decision made does not lessen the authorities’ powers. In light of the separation of powers, the judiciary should assess a posteriori whether the supervisory authority has acted within the legal framework and its discretionary powers. When the judiciary employs its powers to suspend immediate enforcement, it is a decision that falls within its evaluative powers.
189. It cannot be the standard practice – considering the credibility of the powers granted to the authorities by the European and national legislators – that the enforcement of decisions and measures taken by an authority is suspended as soon as a party requests it. If this were the standard scenario, it would undermine the legislator's entire setup to enable decisive and effective action in a digitized society. This does not fit within the teleological design of the powers granted to the authority under the GDPR.
190. Secondly, where immediate enforcement is not suspended, if the decision is subsequently found to be inadequate, legal redress is in any case possible, given that the rulings of the Market Court serve as the final substantive judgment in the involved cases. In this case, there are no indications that such legal redress would be difficult or impossible, as no irreversible measures are taken against the defendant. This situation might have been different if a (high) administrative fine were imposed, a situation which the defendant references in light of its request.
191. Should substantial measures be imposed on a defendant, for example in a situation where the legislation is apparently unclear, the suspension of immediate enforcement might indeed be considered – which is why the legislator has provided this option.
192. The Dispute Chamber has, in light of the underlying case, recognized that there was indeed legal uncertainty regarding the interpretation of certain consent requirements concerning cookies—especially due to uncertainty regarding the interplay between the GDPR and the ePrivacy Directive; however, this has been clarified by the Court of Justice in the meantime.
193. The GBA has taken a position regarding the correct implementation of consent in light of cookie banners.
194. Furthermore: the fact that five similar media companies accepted a settlement that reflected the position indicated in the Cookie Checklist from the GBA is a clear indication that the legal situation is not seemingly unclear. It can be noted that courts routinely cite the positioning of supervisory authorities regarding cookies and other tracking mechanisms and thus consider them authoritative, without that implying anything regarding enforceability as a rule.
IV. Publication of the Decision
218. Given the importance of transparency concerning the decision-making of the Dispute Chamber, this decision shall be published on the website of the Data Protection Authority.
219. Since the defendant is a media company of considerable size and also societal reach, and given that the personal data processing activities address a significant portion of the Belgian and, more broadly, Dutch-speaking population, the Dispute Chamber deems it appropriate to disclose the identity of the defendant as well as the names of the contentious websites. This is in line with the transparency practice adopted by the Dispute Chamber in similar procedures involving similar actors in the media sector that led to settlement decisions, although in those procedures, no effective violations were decided or enforcement measures taken.
220. The identity of the representative of the complainant is also of importance for a clear understanding of the procedure, given the procedural elements formulated by the defendant regarding the practice of mandating that representative. It can be noted that the representative has publicly disclosed the circumstances of this procedure, including the identity of the defendant, on their website. Additionally, it is important to transparently indicate the fundamental differences in procedural assessments in this dossier as compared to other dossiers – where the Dispute Chamber did decide on a lack of mandate for the same representative.
---
FOR THESE REASONS, the Dispute Chamber of the Data Protection Authority, after deliberation, decides to:
Pursuant to Article 100, §1, 9° DPA Act, order the defendant to ensure that the placement of cookies and the processing of personal data on its websites are brought into compliance with Article 6 GDPR in conjunction with Article 10/2 PD Act, by modifying the cookie banner in accordance with this decision, and by submitting the necessary visual evidence to the Dispute Chamber and the complainant no later than the 45th day after notification of this decision (“order 1”). The defendant must ensure, in this context, that misleading button colors are not used so that the propriety of the processing is guaranteed (“order 2”).
Pursuant to Article 100, §1, 12° DPA Act, impose a penalty concerning compliance with Order 1, whereby non-compliance with Order 1 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.
Pursuant to Article 100, §1, 12° DPA Act, impose a penalty regarding compliance with Order 2, whereby non-compliance with Order 2 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.
Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant concerning the violation committed by the defendant under Article 7.3 GDPR.
Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant for placing cookies based on legitimate interest when no exception situation justified this.
Pursuant to Article 100, §1, 1° DPA Act, dismiss the complaint regarding those aspects related to transparency and information obligations and the exercise of the right of objection in light of the placement of cookies based on legitimate interest.
---
Pursuant to Article 108, §1 DPA Act, an appeal can be filed against this decision with the Market Court (Brussels Court of Appeal) within thirty days of notification, with the Data Protection Authority as the respondent.
Such an appeal can be filed via a statement of opposition that must contain the specifications listed in Article 1034ter of the Judicial Code. The statement of opposition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of Justice (Article 32ter of the Judicial Code).
(get). Hielke HIJMANS
Chair of the Dispute Chamber
