APD/GBA (Belgium) - 85/2022
From GDPRhub
| APD/GBA - 85/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(11) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 24 GDPR Article 5(3)(e) ePrivacy Directive |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 16.01.2019 |
| Decided: | 25.05.2022 |
| Published: | 25.05.2022 |
| Fine: | 50.000 EUR |
| Parties: | Roularta Media Group |
| National Case Number/Name: | 85/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Beslissing ten gronde 85/2022 van 25 mei 2022 (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA fined a large media company €50,000 for not obtaining prior consent to place cookies and for violating the principles of accountability and storage limitation.
English Summary
Facts
On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the use of cookies on Belgian media websites. The controller in this case is Roularta Media Group.
The investigation revealed the following potential violations. First, the placement of unnecessary cookies prior to consent of the data subject. Second, the placement of statistical cookies without consent. Third, pre-ticked boxes to grant consent for cookies from partners. Fourth, the placement of a disclaimer for third-party cookies. Fifth, false and inadequate information in their privacy policy. Sixth, unjustified retention periods for the storage of cookies. Lastly, revoking consent was impossible. In fact, this placed more cookies. The controller argued that statistical cookies are used for aggregated basic statistics, necessary for the business model of the website. No personal data is being processed for this activity, as such, the GDPR does not apply.
The controller argued that regarding the statistical cookies, the personal data was anonymised. The controller further argued that the Belgian DPA did not provide adequate guidelines for companies to comply with the GDPR. The controller refers to e.g. the French and Dutch DPA, who have provided this.
Holding
Regarding the placement of cookies, the DPA first noted that cookies can only be placed without prior consent when they are (1) strictly necessary for the transmission of communication or (2) to provide a service that is explicitly requested by the user. The DPA held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC, as some of the cookies placed without prior consent were found to be not strictly necessary. The controller even admitted to the placement of unnecessary cookies without obtaining prior consent.
Regarding the placement of statistical cookies in particular, the DPA noted - with reference to her decision in 12/2019 - that these also require prior consent. The DPA observed that the placement and reading of these cookies on the terminal equipment of users revealed their IP-addresses to the controller. The DPA disregarded the defence of the controller that the IP-addresses were anonymised, and found that they were instead pseudonimised. This makes the data subjects indirectly identifiable and thus the GDPR applicable. The DPA therefore held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC by not obtaining prior consent.
Regarding the pre-ticked boxes for the cookies from partner companies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11) (and with reference to Planet49). The DPA thus found another violation of Article 6(1)(a).
The DPA held that regarding the disclaimer placed on their website for third-party cookies, the controller violated the principle of accountability laid down in Article 5(2). The DPA stated that controllers are responsible for compliance with the GDPR and the demonstration thereof (Article 24).
The DPA found that the privacy policy of the controller contained false, incomplete and insufficient information. The DPA therefore held that the controller violated Article 12(1), as it did not communicate the information referred to in of Article 13 and Article 14 in a "concise, transparent, intelligible and easily accessible form". The DPA furthermore held that the controller violated the principle of storage limitation laid down in Article 5(1)(e) by not proactively defining the criteria for the storage of cookies.
Lastly, the DPA found that the controller violated Article 7(3), as withdrawing consent was made impossible by the controllers cookie-management tool. The DPA noted that withdrawing consent must be as easy as providing consent for users.
The DPA found that the alleged absence of concrete guidelines is not a valid argument against a violation of data protection legislation. The DPA held that it is the responsibility of the controller to comply with the law and further noted that numerous guidelines for companies to ensure compliance with the GDPR already exist.
The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months.
Comments
While addressing the installation of statistical cookies, both the DPA and the controller seem to focus on the (non-)personal data conveyed by the tracker. It is important to note that this is only of importance for the applicability of the GDPR. The ePrivacy Directive refers to the storage of 'information,' which is a broader concept. This is also stated in Planet49.
Further Resources
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/58
Dispute room
Decision on the merits85/2022 of 25 May 2022
File number : DOS-2020-03432
Subject: Use of cookies on Knacken LeVif's media websites (RoulartaMediaGroup)
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman, and Messrs Christophe Boeraeve and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
In view of the law of 30 July 2018 on the protection of natural persons with regard to
the processing of personal data, hereinafter WVP;
Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
†
Defendant: Roularta Media Group, a public limited company under Belgian law, with .
registered office at 8800, Roeselare, Meiboom, 33 and registered in the .
Crossroads Bank for Enterprises under number 0434.278.896,
represented by Master Tom De Cordier, with office at 1170,
Watermael-Bosvoorde, Terhulpsesteenweg 178 (CMS)., Decision on the merits 85/2022 - 2/58
I. Facts procedure
I.1. Investigation Inspection Service
1. On January 16, 2019, the Executive Committee of the Data Protection Authority (“DPA”) decides on
pursuant to Article 63, 1° WOG, read in the light of Article 57, paragraph 1, points a) and h) of the GDPR, in order to
submit a file to the Inspectorate in connection with the use of cookies on
Belgian media websites.
2. In particular, it was decided to conduct a survey of the most consulted
1
Belgian news media:
1 HLN DPG Media nv http://hln.be/ NL
2 Het Nieuwsblad Mediahuis http://nieuwsblad.be/ NL
3 VRT VRT http://deredactie.be/ NL
4 Sudinfo Groupe Rossel http://sudinfo.be/ FR
5 La DH IPM Group SA http://dhnet.be/ FR
6 De Standaard Mediahuis http:// Standaard.be/ NL
7 RTBF RTBF http://rtbf.be FR
8 Gazet van Antwerpen Mediahuis http://gva.be/ NL
9 RTL Groupe RTL http://RTL.be FR
10 The Importance of Mediahuis http://hbvl.be/ NL
Limburg
11 Le Soir Groupe Rossel http://lesoir.be/ FR
12 7 sur 7 DPG Media nv http://7sur7.be/ FR
13 La Libre IPM Group SA http://lalibre.be/ FR
14 De Morgen DPG Media nv http://demorgen.be/ NL
15 De Tijd MEDIAFIN NV http://tijd.be/ NL
16 l'Avenir Nethys.sa http://lavenir.net/ FR
17 VTM DPG Media nv http://vtm.be NL
18 Sudpresse Editions Groupe Rossel http://www.sudpressedigital.be/FR
digitals
19 Knack Roularta Media http://knack.be/ NL
group
20 Le Vif Roularta Media http://levif.be/ FR
group
1According to 2019 figures from the Center for Information on the Media (CIM), Decision on the substance 85/2022 - 3/58
3. The aforementioned investigation related to the verification of the basic principles of the GDPR and the e-mail
Privacy Policy on the use of cookies and in particular:
- the clarity and accessibility of the information about cookies;
- compliance with obtaining the user's consent for posting
not strictly necessary cookies;
- the (whether or not) placement of cookies that are not strictly necessary before the consent of
the user has been obtained;
- the possibility for the user to parameterize his acceptance of cookies (i.e.
the possibility of differentiating options on a more general level), in
in particular to refuse cookies intended for profiling for
advertising purposes.
The study was based on the following principles:
- Further browsing is no longer accepted as it violates the GDPR;
- To comply with the consent requirement, which implies a freedom of choice,
the possibility to parameterize cookies and clear information about
the purposes of the categories of cookies are provided;
- For websites currently working with a parameter setting, the
effectiveness of that parameter setting at a technical level.
4. On 7 October 2020, the inspection of the Inspectorate for the websites www.knack.be and
www.levif.be and the file is transferred by the Inspector General to the
Chairman of the Disputes Chamber, in accordance with art. 91, §1 and §2 WOG.
5. The inspection reports of the Inspectorate contain the following findings:
1. Placement of cookies that are not strictly necessary before consent was given
obtained (potential violation of Article 6.1 a) GDPR):
▪ Article 6.1 a) GDPR and Article 129 of the law on electronic
communication (WEC) determine that the consent of the data subjects is required
before placing the cookies, except when it is strictly necessary
cookies;
▪ The technical analysis of the Inspection Service shows that cookies are used
installed before the data subject has been able to give his consent (for
Knack 66 cookies and for Le Vif 60 cookies). These include third party, Decision on the merits 85/2022 - 4/58
cookies (48 for Knack, 44 for Le Vif). The technical report would also show
that numerous analytical and marketing cookies have been registered.
▪ For both the Knack and Le Vif site, only 2 cookies were considered strict
found necessary.
2. Statistical cookies are placed without permission (potential violation of
article 6.1 a) GDPR):
▪ The cookie settings screen shows that Roularta Media Group on the websites of
Knack and Le Vif considers statistical cookies as cookies that are not subject
are subject to permission. After all, they are always active by default and cannot
be turned off;
▪ First party “statistical” cookies are not necessarily subject to the exception of
'strictly necessary cookies' from Article 5.3 paragraph 2 of the e-Privacy Directive. The
The Disputes Chamber ruled in a decision on the merits 12/2019 of 17 December
2019 that statistical cookies cannot be considered as cookies that are strictly
are necessary to provide a service requested by a subscriber, in the sense
of article 129 paragraph 2 WEC. It considered that the term “necessary” in accordance with the
protection purposes of European data protection law
be interpreted in the sense that this exception is only in the interest of the
data subjects (website visitors) and not in the exclusive interest of the provider
may be invoked by the information service. Even though website operators find
that these cookies are indispensable for the provision of their service, they are per
se not absolutely necessary to provide the information requested by the website visitor
2
provide information services.
▪ However, in the same decision, the Disputes Chamber did not exclude that certain
statistical cookies are strictly necessary under certain conditions
cookies would be for the provision of a requested by the data subject
service, for example to detect a navigation problem. Of these, in this
case, however, is not the case. 3
3. Pre-ticked boxes for the partners (potential violation of Articles4.11,
6.1 a) and 7.1 GDPR):
▪ The GDPR requires a “statement or unequivocal active act” (Article
4.11 GDPR), which means that all presumed consents based on a more
2 GK, Decision on the merits 12/2019 of 17 December 2019,
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf,
3Ibid., Decision on the merits 85/2022 - 5/58
implicit course of action of the data subject, not in accordance with the standards
of the consent of the GDPR. The Inspectorate bases itself on the Planet49
judgment from which it became clear that Article 2. F (definition of consent) and Article
5.3 (consent for cookies) of the ePrivacy Directive, should be read in
4
in conjunction with Article 4.11 and Article 6.1 a) of the GDPR. The Court of Justice
subsequently ruled that consent was not validly granted when
the storage of information by means of cookies or access to already on the
terminal equipment of the website user stored information via cookies
is allowed by default checked checkboxes which
the user must tick if he refuses to give his consent; 5
▪ The technical analysis shows that the cookies of partner companies are set to
being active;
▪ The Inspectorate also establishes that the defendant also does not comply with the
obligation of Article 7.1 of the GDPR which imposes on him to demonstrate that the
data subject has given his consent to use cookies that are not strictly necessary
to place.
4. Disclaimer for third party cookies (potential violation of Article 5.2 a) and 7.1 GDPR):
▪ According to the Inspectorate, Roularta Media Group is trying to
disclaim responsibility for third-party cookies that
visit to the sites of Knack and Le Vif;
▪ For example, the cookie policy states that Roularta Media Group is not responsible for
cookies that are placed and managed by third parties (including to make it possible
share information through social networks). The cookie policy also states that
Roularta Media Group has no control over certain cookies that are placed on its
website are used.
▪ The Inspectorate refers to the judgment in this regard
Wirtschaftsakademie of the Court of Justice which held that the
owner of a website is responsible for the processing of cookies that
4Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49 (hereinafter: "Judgment Planet49"), paragraph
65: “In view of the foregoing, the answer to question 1(a) and (c) is that Article 2(f) and Article 5(3) of
Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and with Articles 4(11) and 6(1)
point (a) of Regulation 2016/679, must be interpreted as meaning that the authorization referred to in those provisions does not
legally valid is granted when the storage of information by means of cookies or access to the terminal equipment of
the user of a website information stored via cookies is allowed by means of a ticked by default
checkbox that this user should uncheck in case he refuses to grant his consent.”
5Ibid., Decision on the merits 85/2022 - 6/58
installs or reads its website. At the very least, he participates in determining
the purposes and means of processing the personal data of
the visitors of its website through third-party applications on its website or the
dissemination of the content of third parties in the advertising spaces of its website
7
to allow.
▪ Subsequently, the Inspectorate refers to the accountability principle in Article
5.2 of the GDPR showing that the controller
is responsible for compliance with the principles governing the processing of
personal data and that he must be able to demonstrate compliance with these principles
be taken.
▪ This practice used by Roularta Media Group should also be seen as
a violation of Article 7.1 GDPR, as a controller
must demonstrate that the data subject has given permission for the posting
of all cookies that are not strictly necessary.
5. Wrong and faulty information (potential violationart.4.11,12.1,13and14ofthe
GDPR).
▪ The Roularta Media Group cookie policy contains provisions that are not in
comply with the GDPR. For example, the cookie policy speaks of implicit
permission for cookies via access to the websites of Roularta Media
Group, which conflicts with the need for an expression of will by a clear
statement or affirmative action in accordance with Article 4.11 GDPR. Also,
note that for sharing data collected through cookies no
specific permission is required, which is contrary to the specific character
of the consent to data processing in accordance with Article 4.11
of the GDPR;
▪ The cookie policy would also lack clarity about the necessity of the use
from third party cookies due to technical problems that have been going on for more than a year
last for years;
6 Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, para. 39: “In this
circumstances, it must be considered that the administrator of a fan page on Facebook, such as Wirtschaftsakademie, has been
define institutions according to, in particular, its target audience and objectives for the management or promotion of its
activities, participates in the determination of the purposes and means of the processing of the personal data of the
visitors to his fan page. For this, this manager must, in this case, be regarded as a controller within the Union,
jointly with Facebook Ireland, for this processing, within the meaning of Article 2(d) of Directive 95/46.”
7Ibid., Decision on the merits 85/2022 - 7/58
▪ The Inspectorate also notes that the names of the types of cookies in the
cookie policy do not match the names of the cookie categories in the
cookie setting tool, which does not improve comprehensibility;
▪ In addition, the cookie policy does not include information about the
storage periods of cookies. After all, the cookie policy would mention a
unlimited storage period for cookies;
▪ The cookie policy states that the partners use the “IAB Europe”
Transparency & Consent Framework” that would ensure that third parties comply with the GDPR
comply. However, of the 449 partners that are on the Knack and Le Vif sites
mentioned, 312 have not been validated or are no longer validated by IAB;
▪ The fact that the user must follow the policies of the 449 sellers (“vendors”)
to find out what these companies do with his data and
make an informed decision on that basis to obtain his/her consent
giving is more than illusory and impracticable. In addition, this will likely lead
to place even more cookies when visiting the links to this one
partners;
▪ Finally, it is noted that cookies are not individually documented,
making the user unable to control what happens to their data
is being done.
6. Unjustified storage periods of cookies (potential violation of article 5.1e)
of the GDPR):
▪ The Inspection Service refers to article 5.1e) AVG, which stipulates that cookies
should not be kept for longer than is necessary to achieve the purpose. This one
retention period may therefore not be indefinite. The information that becomes
collected and stored in a cookie and the information collected as
as a result of reading a cookie should be deleted if it is not
longer is needed for the intended purpose. A cookie that is exempt from
the consent requirement must have a lifetime that is directly related
with the purpose for which it is used and must be set up to
expire as soon as it is no longer necessary, taking into account the reasonable
user expectations. Cookies that are exempt from the
consent requirement will therefore generally have to expire when the
8
browser session ends or even earlier ;
8 See “The lifespan of cookies” and the “Questions” in the theme file “Cookies” on the website of the GBA,
https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies., Decision on the merits 85/2022 - 8/58
▪ The technical analysis report shows that the effective storage periods are unreasonable
are long and that cookies have a lifespan of several years. It
cookie policy mentions a storage period that is in principle unlimited.
7. Non-compliance with the withdrawal of consent (potential violation of Article 7.3
GDPR):
▪ Article 7.3 of the GDPR provides that the data subject has the right to give his/her consent
withdraw at any time;
▪ The technical analysis shows that the withdrawal of consent is not
is effective. The technical analysis of the Knack site shows that the number
cookies does not decrease after returning to minimal choices. The Inspection Service states
established that if she withdraws her consent again, there will be no change in the
9
amount of cookies loaded, on the contrary, the number of cookies increases. From the
technical analysis of the Le Vif website shows that it is impossible to
operate the cookie management tool after the first consent has been given.
6. On November 6, 2020, the Disputes Chamber requests the Inspectorate on the basis of Article 94, 2° and
96, § 2 WOG for additional information regarding the technical investigation reports.
7. On November 30, 2020, the additional investigation will be completed and the Inspectorate will provide
an additional investigative report to the Disputes Chamber.
I.2.The procedure before the Disputes Chamber
8. On 21 December 2020, the Disputes Chamber decides on the basis of Article 98 WOG that the file
ready for treatment on the ground.
9. On December 21, 2020, the defendant will be notified of this
decision, as well as the inspection report and the inventory of the documents in the file submitted by
the Inspectorate was transferred to the Disputes Chamber. The defendant is also
under Section 99 WOG notified of the deadlines to submit its defenses.
The deadline for receipt of the defendant's response was
laid down on February 9, 2021.
10. On January 6, 2021, the Disputes Chamber will receive a letter from the defendant's counsel. In
the aforementioned letter requests the defendant for a copy of the file (art. 95, § 2, 3° WOG) and
it asks the Disputes Chamber to be heard in accordance with Article 98 WOG, in order to:
to explain its defenses orally.
9See page 46 of the De Knack Inspection Report: “Between step 24 “everything” and step 26 “minimum”, the number of cookies
not finished”., Decision on the substance 85/2022 - 9/58
11. On January 18, 2021, the Disputes Chamber will send a copy of the file to the defendant.
12. On 9 February 2021, the Disputes Chamber receives the statement of defense from the defendant.
Following is the summary of pleas and arguments formulated by the defendant in
that conclusion.
13. In its reply, the defendant points out, first, that there are some
inaccuracies were during the GBA's investigation.
▪ Means 1: the investigation was not carried out according to the rules of the art of
are applicable.
o The manual cookie scans are missing essential elements, namely the list
of URLs visited and specific requests related to the placement of
cookies. This makes it impossible for Roularta Media Group to determine which
URLs were visited during the study and whether these URLs were limited to
Roularta and whether cookies were already present during each consent scenario or
were placed.
o Cookiebot and Onetrust were used as classification mechanisms
(both do not provide information and methodology on the used
classification method).
o In addition, the Inspectorate used a free version of both mechanisms
which does not contribute to the credibility of the research.
o Finally, OneTrust and Cookiebot's ratings show conflicts, and
nowhere in the study is it clarified how these are resolved when
the mechanisms are applied to Roularta's cookies.
o Unclear terminology: “no technology”, “further browsing”, “CMP”,
“cookiewall”, “persistent banner”, “non-permanent banner”.
o Unprofessional tooling: both WEC and Cookie Manager are immature github
repositories according to any software development standard. Although the WEC it
bears the stamp of approval of the EDPB, this repository is exclusively
developed by Robert Riemann, IT Policy Officer at the European regulator
for data protection (EDPS), and is not actively maintained, assuming
on the number of recent pull requests and open issues. Also Cookie Manager
was developed by a private individual (Rob Wu) who has no specific privacy or
has security background., Decision on the merits 85/2022 - 10/58
▪ Means 2: the document uses sources/tools that are not official
o The sources for the cookie format cannot be verified, and the
documented sources are not reliable. Both OneTrust and Cookiebot
have built their own cookie classification database that controllers
supported by their understanding of cookies and bootstrap during implementation
of a CMP.
o Regarding OneTrust: the classifications are based on the guidelines of the ICC
in the UK, which are no longer available, and supplemented by "a
layer of simple rules that allow clearer decisions to be made
in certain edge case scenarios, and a methodology for the
classification of best practices when further information on the use of
certain cookies is not otherwise available".
o As for Cookiebot: Owned by Swedish privacy company Cybot, gives
only indicates that the company maintains a global cookie repository without
methodology and sources.
o The credibility of these classifications is further affected by the fact
that the Researcher uses free versions of both Cookiebot and
OneTrust aiming to encourage users to subscribe to a full subscription
to buy.
o Reference to website gdpr.eu for definition of strictly necessary cookies:
website is owned by the Swiss company Proton Technologies AG. The
Inspectorate could also refer to the correct legislation.
o Ratio of third-party cookies: The inspectorate claims that the ratio between
first and third party cookies in the context of strictly necessary cookies serves as
proxy for potential breach. While there is absolutely no causal relationship between
the purpose of a cookie and domain ownership.
o Manual cookies do not contain time stamps. As a result, Roularta cannot
verify whether these cookies are actually placed in sequence and which ones
cookies are added after a specific permission setting.
14. The defendant then addresses the findings of the Inspectorate:
▪ Fix 1: placement of non-strictly necessary cookies before consent
was obtained, Decision on the substance 85/2022 - 11/58
o Roularta states in its conclusions that it cannot verify which cookies are on the
time of the findings were effectively placed. She declares that by
lack of technical knowledge at Roularta there was a poor implementation
from OneTrust. Cookies that would have been placed by advertisers
should normally follow the consent obtained through the IAB TCF
passed. According to Roularta, however, it is very difficult to permanently
check whether all IAB vendors adhere to the agreements of the IAB TCF.
o Roularta does indicate that in 2021 it will bring all news and content websites under one
Roularta domain so that this problem is much better controlled
can become.
▪ Fix 2: statistical cookies without permission
o According to Roularta, placing statistical cookies before permission
was obtained in accordance with art. 6.1 a) GDPR. This is due to the fact that the
The purpose of placing these statistical cookies is to provide aggregated
collect basic statistics about the use of its websites, which means
is necessary for the business model of the websites:
▪ advertisers must be trusted and certified by the CIM (Centre for
Information about the Media) controlled visitor figures available
be asked;
▪ on the other hand, editors must be able to read the result of online
to measure published articles in order to be able to continuously evaluate and
adjust.
o Defendant refers to the fact that aggregated data outside the
scope of the GDPR.
o In addition, the DPA had not yet published official guidelines on the
obligation to obtain permission to place
statistical cookies. Defendant then refers to the position of both
the CNIL (French Authority) and the AP (Dutch Authority) regarding
statistical cookies. It states that it maintains its practice with regard to statistical cookies
inspired by the recommendations of the CNIL and the AP. Corresponding
own interpretationswasRoularta's practice with regard to statistical cookies in
compliance with the WEC and the GDPR.
▪ Identification 3: pre-ticked boxes for the partners, Decision on the substance 85/2022 - 12/58
o Roularta believes that the use of pre-ticked boxes is a valid
permission.
o Partner companies within the OneTrust Consent Management Platform were
default to "active", but Roularta clarifies that this does not mean that cookies
were installed by those partner companies. So it wasn't about a
permission to place cookies, but about a permission for
give a number of partner companies access to data for one or more
purposes. For example, if the data subject did not accept advertising cookies,
then these partner companies would also not be able to place advertising cookies.
o Roulartai's view, in the light of the case law of the Court of Justice in the
judgment Planet49, that the practice whereby cookies from partner companies are
being “active” constitutes a valid consent within the meaning of Articles 4.11 and
6.1 a) GDPR.
o Roularta points out that they have switched to the Didoma Consent
Management Platform in March 2020, and now none of the partner companies
is still automatically set to “active” and the user always has to make an active choice
to make.
▪ Fix 4: Disclaimer for Third Party Cookies
o Roularta states that it is not responsible for the processing of cookies used by
third parties are placed within the framework of the IAB TCF.
o The defendant relies on the IAB Europe investigation for its argumentation:
“Belgium's Data Protection Authority found IAB Europe's Transparency and
Consent Framework does not meet several standards under the EU General Data
Protection Regulation, TechCrunch reports. The DPA determined the framework
fails to comply with the GDPR's principles of transparency, fairness and
accountability. IAB Europe said in response it “respectfully disagree[s] with the
[Belgian DPA]'s apparent interpretation of the law, pursuant to which IAB Europe is
a data controller in the context of publishers' implementation of the TCF
[Transparency & Consent Framework (TCF)'".
o Subsequently, the defendant argues that, should the DPA come to a different conclusion,
its practices nevertheless comply with Article 5.2 of the GDPR. The
accountability means “(I) the need for a for the
controller to take appropriate and effective measures
to implement the principles of data protection…”
No guidelines have been published by the DPA clarifying what, Decision on the merits 85/2022 - 13/58
is meant by a minimum of appropriate and effective measures.
In addition, Roularta has chosen to use the IAB
Framework described as “the most sophisticated and scrutinised”
model of GDPR compliance for digital advertising in the world”.
o Roularta clarifies that the disclaimer was not intended to
shuffle off responsibility but give more to indicate that they are not
is able to block cookies placed by third parties.
o With regard to elements II and III of Article 5.2 of the GDPR: “(ii) the need to request
demonstrate that appropriate and effective measures have been taken.
The controller must therefore be able to provide evidence
of (i) above”.
Defendant admits that the statement in the cookie policy that “Roularta Media”
Group is not responsible for the cookies placed by third parties and
managed, among other things, to make it possible to share information via social media
networks” and that “Roularta Media Group has no control over certain
cookies used on its website” which was worded in an unfortunate way.
Defendant argues that it was not so much the intention to disclaim responsibility
to indicate that Roularta is technically unable to accept cookies
block those placed by some third parties (in this case: advertisers)
become.
Advertisers and agencies, when an ad campaign is on
one of the Roularta sites is shown, via those campaign cookies or scripts
launches that are impossible for Roularta to know in advance.
Roularta states in its conclusions that the statement in the cookie policy in
issue was removed because it can be turned into TCF framework since the IAB
assumed that IAB vendors no longer use cookies or scripts in accordance with this framework
unless there is permission for both the cookies and the vendor involved
approved in the list of partner companies.
▪ Conclusion 5: wrong and faulty information
Regarding the statement “.. the lack of clarity in the cookie policy
regarding the necessity of using third party cookies is due to
technical problems”:
o Position of Roularta: At the time of adoption by the GBA,
this problem has already been solved but it was still in the privacy policy. At, Decision on the substance 85/2022 - 14/58
update of the cookie policy on June 23, 2020 this entry was removed.
Specifically, the problem was that Knack used a new registration system
since November 2018. This registration system used functional
cookies, to ensure that users do not have to log in again and again
sign in. Technically, this cookie was a third-party cookie. It turned out
be a problem for users who default third party cookies
refused (they had to re-register each time). This problem became
raised with the supplier of the registration system with a view to a
quick solution. A solution was sought, but turned out to be more difficult than
thought. They had to find a way in which people who are only first-party
accept cookies can remain logged in on the website.
About the mismatch of the names of the cookies in the
cookie policy, on the one hand, and the categories of cookies in the cookie
setting tool, on the other hand:
o Roularta's point of view: Roularta had no choice but to
terms used by IAB TCF on its consent tool (on
penalty of exclusion from the TCF).
About the fact that the cookie policy would not contain any information
regarding the storage periods:
o See statement of defense about determination 6.
Regarding the listing in the consent management tool related to the
use of the “IAB Europe Transparency & Consent Framework”:
o The statement and brief explanation were only intended to provide transparency
create and inform the user about how Roularta
want to control the use of cookies, namely by joining a
internationally recognized standard within the digital advertising world.
Regarding the fact that the user of the website has followed the cookie policy of the 449
should consult vendors to get an idea of what's
happened with her data:
o An obligation imposed on it by the IAB TCF.
With regard to not individually documenting the cookies:
o Fixed in the meantime by an update of the cookie policy.
▪ Statement 6: Unjustified storage periods of cookies, Decision on the merits 85/2022 - 15/58
o Here again, the defendant refers to the lack of precise guidelines as to what
concerns the lifespan of cookies.
o She states that this makes it very difficult for companies to (1) understand what the
lifespan is when cookies “should not be kept longer than the time”
necessary to achieve the intended purpose” and (2) their practices
must adjust to comply with the GBA.
o The Inspectorate also incorrectly stated that no information about the
storage period of cookies can be found in the privacy policy (piece 8): “La durée
the conservation variety de cookie à cookie, en général les cookies sont stockés
jusqu'à ce que l'utilisateur supprime les cookies (...)". Paragraph 11 of the
privacy policy(Part8)in factcontainstwotypesofinformationabouttheretention time
of cookies: (i) the fact that the duration varies from cookie to cookie (ii) the fact that
the user can disable cookies, resulting in zero retention time
(since cookies are not active). It is therefore incorrect to state that Roulartaeen
has a retention period, which is in principle unlimited. It is correct that there is no
concrete information could be found about the storage period of cookies, but it
goes too far that the Inspectorate equates this with an unlimited duration.
o Defendant also refers to an amended privacy policy on June 23, 2020,
where now a detailed description of the retention period can be found
to find.
▪ Notice 7: Non-compliance with the withdrawal of consent
o This was due to the technical difficulties related to the use of the
cookie tool OneTrust. The problem was solved by implementing the
Consent Management Platform Didomi.
o Withdrawing consent should be as easy as giving it
of it:Roulartaprovides a simple and easily accessible tool, and
without lowering the level of service.
o In addition, Roularta cannot effectively remove a particular cookie itself from
the device, this should be done by the person concerned.
o In summary, the consequence of withdrawing consent is: “it
blocking and subsequent deletion of cookies in the browser of the
user, no more data processing will take place”. The cookies
will still be installed on the user's device, but
they will be inactive and no longer functional., Decision on the merits 85/2022 - 16/58
15. On December 6, 2021, the Defendant will be notified that the hearing will be
take place on December 17, 2021.
16. On December 17, 2021, the defendant will be heard by the Disputes Chamber.
17. On 23 December 2021, the minutes of the hearing will be sent to the counsel of the
submitted to the defendant.
18. On January 6, 2022, the Disputes Chamber will receive the defendant's comments with
with regard to the official report, which it includes in its deliberations.
19. On April 20, 2022, the Disputes Chamber notified the defendant of its intention
to proceed with the imposition of an administrative fine, as well as the amount thereof
in order to give the defendant the opportunity to defend itself before the sanction takes effect
is imposed.
20. On 11 May 2022, the Disputes Chamber will receive the defendant's response to the intention to
the imposition of an administrative fine, as well as the amount thereof.
II. Justification
II.1. Competence of the Data Protection Authority
21. In accordance with Article 4, §1 WOG, the Data Protection Authority is “responsible for”
monitoring compliance with the basic principles of data protection,
within the framework of this law and of the laws containing provisions for the protection of the
processing of personal data.” From the wording of the Explanatory Memorandum of the
WOG shows that the competence of the GBA must be interpreted very broadly:
“The Data Protection Authority acts with regard to legislation that
contain provisions regarding the processing of personal data, such as, for example
the law regulating a national register, the law establishing and organizing
a Crossroads Bank for Social Security, the Act establishing a
Crossroads Bank for Enterprises, etc.” 10
It can be deduced from the foregoing that the intention of the legislator was to make the GBA a
confer general and horizontal competence with regard to the protection of
personal data. The GBA therefore not only has supervisory powers with regard to the GDPR,
10Belgian Chamber of Representatives, Draft law establishing the data protection authority, 23 August
2017, DOC 54 2648/001, 13., Decision on the merits 85/2022 - 17/58
but also with regard to other legislation relating to the processing of
personal data.
22. With regard to the use of cookies, reference should be made in this regard to the European
Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and
protection of privacy in the electronic communications sector (“e-mail
privacy directive"), which has been partially transposed in Belgian law by the Electronics Act
Communications (WEC). In particular, Article 5(3) of the ePrivacy Directive is important in this regard, such as
converted at the time into (former) Article 129 WEC (cf. infra). The first provision reads as follows:
"Member States shall ensure that the storage of information or the obtaining of access
to information already stored in the terminal equipment of a subscriber or user,
is only allowed on the condition that the subscriber or user concerned has consent
has provided, after having been provided with clear and complete information in accordance with
Directive 95/46/EC, including on the purposes of the processing. This does not constitute a
prevent any form of technical storage or access for the sole purpose of
carrying out the transmission of a communication on an electronic
communication network, or, if strictly necessary, to ensure that the provider
of a service expressly requested by the subscriber or user of the
information society provides this service.”
23. With regard to the jurisdiction of the Disputes Chamber with regard to the e-Privacy Directive and the
WEC refers the Disputes Chamber to its previous decisions 12/2019 of 17 December 2019,
19/2021 of February 12, 2021, 24/2021 of February 19, 2021 and 11/2022 of January 21, 2022.
24. The Disputes Chamber furthermore emphasizes that as a body of the GBA it is competent to rule on
the legality of personal data processing activities in accordance with Article 4, §1
WOG, as well as Article 55 GDPR, and this in the light of Article 8 of the Charter of Fundamental Rights
of the European Union.
25. Furthermore, at the time of the Inspectorate's findings, under Belgian law, the Belgian
Institute for Postal Services and Telecommunications (BIPT) the competent authority for the law
on electronic communications (WEC), including Article 129 of that Act, which
implements Article 5(3) of the ePrivacy Directive. Nevertheless, the concept depends
consent under the ePrivacy Directive inseparable from the requirements of consent
under the GDPR, which was also clarified in guidelines regarding consent by the WP29 as
11
legal predecessor of the European Data Protection Board (hereinafter: “EDPB”).
1EDPB, Guidelines 5/2020 on consent in accordance with Regulation 2016/679, 4 May 2020, inter alia para. 7., Decision on the merits 85/2022 - 18/58
26. In addition, in this regard, particular reference should be made to Opinion 5/2019 of the
EDPB on the interaction between the ePrivacy Directive and the General Regulation
Data protection, in which the EDPB states:
“The data protection authorities are empowered to enforce the GDPR
fact that a sub-part of the processing within the scope of the e-mail
Privacy Directive, limits the powers of data protection authorities
not under the GDPR”.12
27. In the aforementioned opinion, the EDPB states that the provisions of the ePrivacy Directive are after all
“clarify and complete” with regard to the processing of personal data in the sector
of electronic communications, with a view to ensuring compliance with the
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 5, paragraph 3 of the
ePrivacy Directive is hereby cited as an example of such a “specification provision”.
28. That the provisions of the ePrivacy Directive - as well as its transposition provisions - as a
clarification of and addition to the provisions of the GDPR should be considered,
is also explicitly confirmed in the Explanatory Memorandum to the WEC bill:
“Section 2 of Chapter III of Title IV is mainly devoted to the transposition of
Directive 2002/58/EC of 12 July 2002 of the European Parliament and of the Council on
the processing of personal data and the protection of privacy
in the electronic communications sector (the so-called «Privacy Directive and
electronic communication», hereinafter referred to as: «the Privacy Directive»). The provisions of
this department set up a specific privacy protection regime in some places,
adapted to the characteristics and needs of the electronic
communication.Other placestheprovisionsofthisdepartmentmustbeseen
as a supplement to the provisions of the Act of 8 December 1992 on the
protection of privacy with regard to the processing of
personal data (hereinafter referred to as: “the Privacy Act”).” 15(own underlining)
29. In its judgment Planet49, the Court of Justice also ruled that the collection of cookies as
processing of personal data can be considered. The Court confirmed in the aforementioned
judgment that the intent of Article 5(3) of the ePrivacy Directive is to “tell the user
protect against interference in his private life, whether or not that interference relates to
12EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation, with
in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 69.
13
Ibid, edge no. 38.
14Ibid, edge no. 41.
15 Bill on Electronic Communications, Parl. St. Kamer, DOC 51 1425/001, p. 73. The current Article 129 is in the
draft law article 138.
16
Judgment Planet49, § 45., Judgment on the substance 85/2022 - 19/58
personal data". Furthermore, the Court of Justice stated that Article 5(3) of the ePrivacy Directive
must be interpreted in the light of the GDPR, and in particular Articles 4.11, 6.1 a)
(consent requirement) and 13 GDPR (information to be provided).
30. In this regard, the Disputes Chamber also refers to the proposal for the e-Privacy Regulation in which
provides that the supervision and compliance with the Regulation will be entrusted to the
supervisory authorities responsible for the supervision of Regulation (EU)
2016/679. 18
31. Finally, the Disputes Chamber points out that since the entry into force of the Act of 21 December
2021 transposing the European Electronic Communications Code and
amendment of various provisions on electronic communications on January 10, 2022 the DBA
is henceforth competent, in accordance with Belgian law, for the supervision of the provisions relating to
the placement and use of cookies (i.e. “storing information or gaining access”
to information already stored in a subscriber's or user's terminal equipment").
The aforementioned law brought changes to the WEC, among other things. In particular, Article 256 provides for
the law of December 21, 2021 the abolition of article 129 WEC and the transfer of this
provision according to the law of 30 July 2018 on the protection of natural persons with
19
regarding the processing of personal data (WVP). Article 10/2 WVP now reads as
follows:
“In application of Article 125, § 1, 1°, of the Law of 13 June 2005 on electronic
communication and without prejudice to the application of the Regulation and this law, the storage of
information or accessing information already stored in the
a subscriber's or a user's terminal equipment is permitted only on the condition that:
1° the subscriber or user concerned, in accordance with the conditions laid down in the
Regulation and in this law, get clear and precise information about the purposes of the
processing and its rights under the Regulation and this law;
2° the subscriber or end user has given his consent after being informed
in accordance with the provision under 1°.
The first paragraph does not apply to the technical storage of information or access to
information stored in the terminal equipment of a subscriber or an end user with as
the sole purpose of transmitting a communication via an electronic communications network
1Judgment Planet49, §69.
18Article 18, Proposal for a Regulation of the European Parliament and of the Council on respect for the
privacy and the protection of personal data in electronic communications, and repealing Directive 2002/58/EC,
COM/2017/010 final.
19Law of 21 December 2021 transposing the European Electronic Communications Code and amending various
provisions on electronic communications, Belgian Official Gazette 31 December 2021., Decision on the merits 85/2022 - 20/58
perform or provide a service expressly requested by the subscriber or end user
when this is strictly necessary.”
In view of the fact that the GBA has the residual competence to supervise the provisions
of the WVP, the material competence of the GBA with regard to the placement and
use of cookies confirmed.
32. The Disputes Chamber points out, however, that, in view of the fact that this amendment dates from after the
conclusion of the debates in the present case, in this case further account will be taken of the
legislative framework as it existed at the time of the (start of) procedure before the GBA.
33. In any case, the GBA is therefore competent to judge – also under the legal situation that applied at the time of
at the time of the determinations of the Inspectorate – to judge the legal validity of a
given permission to place cookies. In that sense, the GBA is also authorized to:
to exercise its powers of control over all other terms and conditions that are
imposed by the GDPR for activities involving the processing of personal data – such as
20
the obligations regarding transparency and information (Article 12 et seq. GDPR).
II.2. Introduction to the general principles regarding the use of cookies
34. Before discussing the findings contained in the report of the investigation, the
Litigation Chamber it is useful to understand the general principles regarding the use of cookies and
other means of tracing. 21
35. The term "tracking tools" includes cookies and HTTP variables, which may be placed via
web beacons or web pixels, flash cookies, access to terminal information from APIs (Local Area
Network), and information from APIs (LocalStorage, IndexedDB, advertising identifiers such as identifiers
such as IDFA or Android ID, GPS access, etc.), or any other identifier generated
by a software or an operating system (serial number, MAC address, unique terminal identifier
(UDI), or a set of data used to uniquely identify the
terminal (e.g. via fingerprints).
36. Cookies and other tracking devices can be distinguished by
various criteria, such as the purpose they serve, the domain in which they are placed, or their
lifespan.
20Comparison about the scope of this control power as well as the judgment of the EU Court of Justice of 15 June
2021, C-645/19, ECLI:EU:C:2021:483, para. 74.
21
See also the theme page on the website of the Data Protection Authority, available at:
https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies, Decision on the merits 85/2022 - 21/58
37. Cookies can be used for various purposes (for example, to support the
communication over the network, for audience measurement, for marketing and/or behavioral
advertising purposes, for authentication purposes, etc.).
38. They can be used, inter alia, to support communication over the network
(login cookies), to measure the audience of a website (visitor number cookies, also called
referred to as "analytical cookies" or "statistical cookies"), for marketing and/or advertising based on
of behaviour, for authentication purposes, for website security, for load balancing,
to personalize the user interface or to allow the use of a media player
to create (flash cookies).
39. Cookies can also be distinguished based on the domain through which they are stored
placed on your device. The "first party" cookies are placed directly in the address bar
of the browser by the registered domain. In other words, it concerns cookies that
owner of the website you are visiting. The "third party" cookies are
posted by a domain that is different from the domain you are visiting. This is the case
when the website incorporates elements from other websites, such as images, social media
“plugins” (for example, the Facebook “like button”) or advertisements. When this
elements retrieved by the browser or other software from other websites may
these websites also place cookies that can then be read by the websites that have them
posted. These "third party cookies" enable these third parties to track the behavior of the
tracking internet users over time and across numerous websites and based on this
to create data profiles of people (profiling), so that they can be used in the future, for example
be able to place more accurate and targeted marketing during the future surfing sessions of
these internet users, who are traced in this way.
40. Cookies can be further distinguished according to their lifespan. In this regard,
made a distinction between "session cookies" and "persistent cookies". Session cookies become
deleted automatically when you close your browser, while the "persistent cookies" are in your device
(computer, smartphone, tablet, etc.) remain stored until a predetermined expiration date (which
can be expressed in minutes, days or years, if applicable).
41. Furthermore, from a legal point of view, a distinction must be made between, on the one hand, the
means of tracking which require the prior consent of the user and,
on the other hand, those for which it is not required.
42. In accordance with article 129 WEC, there are two situations in which for the setting or reading of cookies
22
no prior consent should be obtained from the data subject:
22In so far as relevant, Section 129 WEC reads as follows: “The storage of information or the gaining of access to information that
is already stored in the terminal equipment of a subscriber or a user is only permitted on the condition that […] 2° the
subscriber or end user has given his consent after being informed in accordance with the provisions in 1°. The first paragraph is, Decision on the substance 85/2022 - 22/58
1) when the cookie has the sole purpose of sending a communication via a
electronic communications network (for example, load balancing cookies); and
2) when the cookie is strictly necessary to enable an express by the subscriber or end user
to provide the requested service (such as, for example, cookies that enable the shopping cart
or cookies that are used to ensure the security of a banking application).
43. For the placement of other cookies and tracing means, the prior
User consent is required, in accordance with Article 129 WEC.
44. This includes cookies or other tracking devices that enable the display of
(personalized) advertising or related features for sharing on social networks. Bee
In the absence of a valid consent, these not strictly necessary cookies cannot be used on the
device of the user are placed or read.
45. The Disputes Chamber points out that, in order to be in accordance with the GDPR, the aforementioned
consent should be informed, specific and free and that the user can do it just as easily
must be able to revoke if it was given (cf. also infra title II.5.6).
II.3. As to the alleged lack of guidance
46. In its response, the defendant argues that cookie compliance is a technical and
is a complex subject that requires both technical and legal expertise. She argues that the GBA
would not have provided sufficient support to companies to comply with applicable regulations
to apply correctly.
47. More specifically, the defendant argues that the GBA, at the time of the findings by the
Inspection service in this file, had not issued any guidelines regarding the use
of cookies. This is in contrast to the French supervisory authority (CNIL).
48. The Disputes Chamber points out that both at the level of the European Union and at the Belgian
level, advice and positions from authorities already existed regarding cookies under the e-mail
privacy directive many years before 25 May 2018. 23 At the European level, the Working Group
Article 29 in 2012 expresses an opinion on the exceptions for consent for cookies. 24 on
at the Belgian level, the legal predecessor of the GBA, the Commission for the
not applicable for the technical storage of information or access to information stored in the terminal equipment of a
subscriber or end user for the sole purpose of transmitting a communication over an electronic
communications network or to provide a service expressly requested by the subscriber or end user when doing so
is strictly necessary for this." (the Disputes Chamber underlines)
23 Pursuant to Article 99 of the GDPR, the Regulation has been in force since that date.
24
WP29, Opinion 04/2012 on Cookie Consent Exemption (“Opinion 4/2012 on waiver of the consent obligation for
cookies”), 7 June 2012, WP194, available at: https://ec.europa.eu/justice/article-29/documentation/opinion-
recommendation/files/2012/wp194_en.pdf., Decision on the merits 85/2022 - 23/58
Protection of Privacy (“CPP”), guidelines already in 2015 regarding the
use of cookies. 25Furthermore, at the time of the determination of the
Inspectorate, and there are currently many guidelines and advice that are directly
relate to the situation regarding cookies that occurs in this file, such as
guidelines on legal consent. 26
49. It is indeed true that the legal situation, as well as the technical possibilities with and for
cookies, have changed since the entry into force of the GDPR. The Disputes Chamber has already
2019 made its first decision on cookies, which was also published on the
website of the Data Protection Authority. 27
50. Although the Disputes Chamber clearly recognizes that both the EDPB and the GBA itself as
supervisory authority have powers to formulate opinions and guidelines and
publication in connection with the protection of personal data, the Disputes Chamber points out
points out, however, that this is part of the tasks and competences of those institutions, and not in itself
28
is an obligation. After all, it cannot be expected from supervisory authorities
become that in a digitized society on every (changed) aspect of the processing of
take a position of personal data proactively, where the lack of such positioning
would hinder enforcement.
51. For that reason, the European legislator has chosen to take responsibility for
place the processing of personal data with the controller, without
reservation in the absence of clarity regarding certain technical situations. 29 Among those
processing responsibility also includes demonstrating that data subjects have a legally valid
consent, as well as the adequate follow-up of the consequences of its withdrawal,
30
which is extremely relevant in the present case.
52. In this regard, it is the defendant, as operator of the contested websites, which chooses
a certain structure by a certain provider for placing cookies (choice for
certain “resources”) to collect advertising income through this way, among other things (choice for a
particular “purpose”). Due to the defendant's choice of a particular management of its websites,
it is the complexity of the defendant's processing activities per se that necessitates a
25
CPP, Recommendation of its own accord on the use of cookies no. 01/2015.
26At the time of the determinations, the following guidelines, among others, were relevant: WP29, Guidance on
Consent under Regulation 2016/679, WP259 rev.01, as adopted by the European Committee for
Data protection dd. May 25, 2018: EDPB, Endorsement 1/2018, available at:
https://edpb.europa.eu/sites/default/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
27 Dispute Chamber Data Protection Authority, Decision 12/2019 of 17 December 2019, available at:
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf.
28Resp. Articles 70(e) and 58(3)(b) GDPR.
29
Articles 5, paragraph 2, as well as 24 and 25 GDPR;
30Comparatorinformativetitle:E.M.FRENZEL,"DS-GVOart.5. GrundsätzefürdieVerarbeitungmensenbezogenerDaten”inBoris
P Paal and Daniel Pauly (eds), Datenschutz-Grundverordenung Bundesdatenschutzgesetz (CH Beck 2021), (85)106, marg. 52., Decision on the substance 85/2022 - 24/58
thorough - and admittedly technically complex - investigation and subsequent analysis of a factual
situation. The alleged lack of concrete guidelines in the current context cannot therefore
serve as an argument against a breach of data protection law.
II.4. As for the alleged inaccuracies during the investigation
53. The defendant argues in the first instance that the Inspectorate's investigation did not
performed according to the rules of the art. In summary, the defendant argues that:
- there are discrepancies between the results obtained through the automated and de
manual cookie scan;
- there is a lack of documentation of the cookie classification by Onetrust and Cookiebot;
- unclear terminology is used in the research report;
- use is made of unprofessional tooling.
54. Second, the defendant alleges that the Inspectorate used sources and tools that were not
be official.
55. The Disputes Chamber first points out that, in accordance with Article 72 WOG, the inspector
generals and inspectors may “proceed to any investigation, any inspection, any interrogation, as well as
obtain any information they deem necessary to satisfy themselves that the Fundamental Principles
of the protection of personal data, within the framework of this law and of the laws enacted
contain provisions on the protection of the processing of personal data, to which they
supervision, are actually complied with”.
56. Article 67 WOG provides that “the investigative measures [may] give rise to a lawsuit
verbally establishing an infringement. That official report has evidential value to the contrary
has been proven”. The Inspectorate has carried out several investigative acts of which it de
detailed results in reports.
57. The findings of the Inspectorate are administrative acts that fall under the
material motivation obligation, and for that reason must be supported by "motives that are legitimate"
31
and are in fact acceptable and which must therefore be verifiable."
material obligation to state reasons, on the other hand, it is not required that such motives are explicitly stated
be included in the administrative act itself. In other words, it is not required that the
Inspection service all aspects – such as a detailed outline of the programming language used
31I. Opdebeek & S. De Somer, General Administrative Law (2nd edition), 2019, 435, par. 944., Decision on the merits 85/2022 - 25/58
within and with which it uses research instruments, the technical terminology and so on
– formally reasons for its findings.
58. It is only in the context of "decisions of individual scope", such as the present one of
the Disputes Chamber, that in the decision itself (explicitly) the legal and factual considerations
must be stated on which the decision is based, and this in an adequate manner. 32 De
Belgian legislator has approved the review of the investigative acts of the Inspectorate
expressly restricted, since it leaves it to the Inspector General and his inspectors
to ensure "that the resources they employ are appropriate and necessary." (art. 64, §2
WOG). It is therefore not up to the Disputes Chamber to make the choices for certain
to test investigative resources, where they appear to be within the powers of the Inspectorate
and in which the principles of general good governance have apparently been observed .33
59. As regards the discrepancies invoked by the defendant between the manual and the
automated cookie scan, the Disputes Chamber points out that the aforementioned differences
explained by the fact that additional operations were performed manually during the manual scan,
or the “maximum” permission was granted in the cookie banner, which means additional
cookies were placed. However, this is not possible with the automated cookie scan –
performed through the Website Evidence Collector (WEC) – which cannot grant permission and through
which therefore only detects those cookies that have been used without permission
posted.
60. It should also be noted in this regard that this was expressly stated
in the technical investigation report drawn up by the Inspectorate. 34
61. With regard to the cookies that were placed without permission, it should be
pointed out that the different methods actually yielded almost the same results.
62. In this regard, it should also be emphasized that it is by no means technically possible that
cookies would be detected that were not placed. If the detection of the cookies
had been done carelessly - quod non - this could only have resulted in
effectively placed cookies were not detected by the tool and as a result this should only be done in the
could have benefited the defendant.
32Article 3 Law of 29 July 1991 on the express statement of reasons for administrative acts, see also judgment of the Court of Appeal
Brussels (Market Court section) of 9 October 2019, 2019/AR/1006: “The main raison d'être of the obligation to state reasons […]
consists in the fact that the person concerned must be able to find the same motives as to which they are interested in the decision
was taken […]"
33See mutatis mutandis also Judgment of the Brussels Court of Appeal (Market Court section) of 7 July 2021, 2021/AR/320, 21: “The [Marktenhof]
has no jurisdiction to adjudicate on statements made by the Inspectorate […]”
34
For example, technical research report website Knack, p.4(“3.Analysis”):“First, all websites, including the website
of “Knack”, automatically investigated by WEC. Then the various choices presented, provided by the website
with regard to cookies, manually followed from “minimum” consent to “maximum” consent (…)”., Decision on the merits 85/2022 - 26/58
63. In line with this, the Disputes Chamber points out, with regard to the argument of the
defendant, according to which it is not possible to verify whether the investigation
whether or not cache memory has been emptied and temporary internet files may be present
were, can only be relevant for the manual search via Cookiemanager, but that this is not of
applies to the automatic inquiry carried out via the WEC (which always
starts as if the browser hadn't been manipulated in that sense in any way yet). Also during this last
automatic search did detect not strictly necessary cookies on the
researched websites.
64. As regards the argument raised by the defendant regarding the alleged
unprofessional character of the tools used, in particular theWebsiteEvidenceCollector,
the Disputes Chamber first points out that, in accordance with Article 64, §2 WOG, the inspector
General and the inspectors, when exercising the powers referred to in Chapter 6,
ensure that the resources they use are appropriate and necessary. This is the case regardless
whether the resource used is ad hoc software or not, a beta version or not.
65. In addition, it should be noted that the changes made between versions 0.3.1 and 1.0.0
applied to the tool WEC only concern "features" or "bug fixes", i.e. improvements
benefit of the researcher so that the tool does not crash, freeze or generate errors.
In other words, if the WEC version 0.3.1 has detected a cookie, it means
that the tool has worked. After all, it is impossible for an instrument like this to be
accidentally detect a non-existent cookie.
66. Finally, the Disputes Chamber points out that the defendant in no way demonstrates that this,
as controller, is able to make a full inventory of the placed
to make cookies. At no point during the proceedings does the defendant have its own
an inventory of the cookies used on the websites concerned. On the contrary
the defendant argued at the hearing that IAB occupies a dominant position and its
requirements are imposed in this way, as it were, and that the publishers are therefore not in a position to
to control all these cookies. The defendant added at the time of the hearing
accept that the inventory of cookies should ideally be done several times a day
as the situation is constantly changing. However, the fact that a supplier has a dominant position –
e.g. occupies a mono- or oligopolistic position in the online advertising market,
cannot in itself be exempted from responsibilities for the
bring the controller.
II.4. The IAB TransparencyandConsent Framework (“IAB TCF”), Decision on the merits 85/2022 - 27/58
35
67. In this regard, the Disputes Chamber refers to its decision 21/2022 of 2 February 2022.
68. The Disputes Chamber stated in this decision: “IAB Europe is a federation that
and marketing industry on European
level represents. It includes both corporate members and national associations, with
their own company members. Indirectly, IAB Europe represents approximately 5,000 companies,
including both large companies and national members” 36
69. IAB Europe itself described its operation as follows: “In its current form, the TCF is a
cross-sector standard for best practice that
makes it easier for the digital advertising industry to comply with certain EU regulations
privacy and data protection and that individuals have greater transparency and
control over their personal data. In particular, it is a "framework" within which
companies operate independently and that helps them comply with the GDPR legal basis for the
processing of personal data and to the ePrivacy Directive, which requires that the user
must consent to the storage of and access to
information on a user's device.”37
70. In the reply, as well as at the hearing, the defendant argues that
it can only allow advertisements on its website if it respects the IAB TCF.
71. The Disputes Chamber first points out that the defendant does not adduce any evidence to
support the argument set out above. The Disputes Chamber also states:
determined that the administrators of other similar media websites do not use the IAB
TCF. In any event, the defendant is not obliged to use IAB's TCF.
72. The Disputes Chamber points out that the defendant, as operator of the contested websites and as
controller within the meaning of Article 4(7) GDPR of the personal data of the
users of the aforementioned websites on the basis of the contained in Article 5, paragraph 2 j° 24 GDPR
accountability is responsible for complying with the provisions of the GDPR for the
processing involved and for demonstrating it.
II.5. Established Infringements
II.5.1. Lack of valid consent (Article 6, paragraph 1, point a) GDPR j° Article 129
WEC)
35Available via: https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf.
36
Ibid, para. 36.
37Ibid., para. 39., Decision on the substance 85/2022 - 28/58
II.5.1.1. Placing non-strictly necessary cookies before the
permission was obtained–determination 1Inspection Service
73. Article 6(1) of the GDPR provides that processing of personal data is lawful only if
it is based on one of the processing bases mentioned in this provision.
74. Article 6(1) of the GDPR serves the processing of personal data through the posting of
cookies should be read in conjunction with (former) article 129 WEC (current article 10/2 WVP),
38
as this article clarifies and supplements the provisions of the GDPR.
75. The aforementioned article therefore stipulates that the permission for placing and/or reading cookies
of the data subject is required, except if the cookies are strictly necessary to 1) the transmission
of a communication over an electronic communications network or 2) to perform a
provide a service expressly requested by the user.
76. In its Planet judgment49, the Court of Justice held that the term “consent” in Article 5,
paragraph 3 of Directive 2002/58 (transposed into Belgian law via former article 129 WEC, current article
10/2 WVP) refers to “the consent of a data subject” as defined and specified
in Directive 95/46 (i.e. the legal predecessor of the GDPR). 39The EDPB states in its Guidelines
05/2020 of 4 May 2020 regarding consent in this regard: “The EDPB notes that the
requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but
rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid
consent are applicable in situations falling within the scope of the e-Privacy Directive”.0
77. The Disputes Chamber points out that Article 4, point 11) GDPR defines the valid “consent” as
follows: “any free, specific, informed and unambiguous expression of will by which the
data subject by means of a statement or an unambiguous active act
concerning the processing of personal data”.
78. The technical analyzes of the Inspectorate show that for the website of Knack 66 cookies
and for the website of Le Vif 60 cookies were installed before the consent of the
person concerned was asked. This includes third party cookies (48 for the website
van Knack and 44 for the website of Le Vif). Although it is in principle not excluded that third
party cookies are also strictly necessary for the operation of the website, it may be legal
distinction with a first party, however, are a parameter in the evaluation of whether a cookie is strictly
38
EDPB, Opinion 5/2019 on the interaction between the ePrivacy Directive and the General Data Protection Regulation, with
in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 38.
39Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, paragraph 50.
40
EDPB, Guidelines 05/2020 on Consent under Regulation 2016/679, 4 May 2020, p. 6 (no. 7). Free translation: “The EDPB notes that
the consent requirements of the GDPR should not be regarded as an "additional obligation", but rather as
conditions for lawful processing. The AVG conditions for obtaining a valid consent are therefore
applicable in situations falling within the scope of the ePrivacy Directive.”, Decision on the substance 85/2022 - 29/58
41
is necessary. In addition, the defendant does not demonstrate that these cookies are strictly
are necessary.
79. In this regard, the Disputes Chamber refers to advice no. 10/2012 of the former Commission
for the Protection of Privacy (predecessor of the DPA) about the
draft law containing various provisions relating to electronic communications
that the cookies that are exempt from the consent requirement mainly provide certain “first”
party cookies”. The Commission pointed out that in this case it concerns cookies that are
placed by the user himself and which include language settings and personal proposals
remembered at an online store (for example, customer identification and the virtual shopping cart). 42
Furthermore, the aforementioned advice states that certain cookies are clearly not covered by the exemption on
the information obligation. This concerns the most intrusive and latest cookie types (such as
“supercookies” or “evercookies”). The Commission stated that this mainly concerns “third party”
cookies about which very little or no information is given by the various controllers,
43
and for which special expertise and software is required in order to delete the cookies. er
In that advice, the legislator was also clearly asked to provide additional information in Article 129 WEC
provide an explanation for which type of cookies concrete permission is required. 44The legislator
has failed to provide further clarification on this.
80. The Article 29 Working Party has stated in its Opinion 04/2012 on exemption from the
consent obligation for cookies provided that: “third-party cookies” moreover usually
are not “strictly necessary” for visiting the website, as such cookies
usually relate to a service other than that for which the user “explicitly”
45
has asked". The Article 29 Working Party states that “according to the purpose,
the specific implementation, or the specific processing must be determined or a cookie then
cannot be exempted from the consent requirement”.
81. Consent must in principle be obtained for all cookies, unless the cookies
are “functional” or “strictly necessary”, according to the criteria set out in article 129 WEC (see above).
41
Compare: WP29, Opinion 04/2012 on Cookie Consent Exemption, June 7, 2012, p. 5: “[…]'third party' cookies are usually not 'strictly
necessary’totheuservisitingawebsitesincethesecookiesareusually relatedtoaservicethatisdistinctfromtheonethathasbeen
'explicitly requested' by the us; free translation by the Disputes Chamber: “third party cookies are usually not strict
necessary for the visitor to a website, as these cookies are usually related to a service that is different from
the one expressly requested by the user.”
42
Opinion no. 10/2012 of 21 March 2012 on the draft law on various provisions relating to electronic
communication (CO-A-2012-009), § 51.
43Advice no. 10/2012, §52.
44Opinion no. 10/2012, § 64.
45GroupData ProtectionArticle 29, Opinion No. 04/2012 on the waiver of the consent obligation for cookies, p.60., Decision on the merits 85/2022 - 30/58
It is in accordance with its duty of responsibility to the defendant to demonstrate that cookies
are strictly necessary, and therefore no consent is required.
82. The report of the Inspectorate's investigation shows that only 2 cookies on both the
Knack's and Le Vif's website were found to be strictly necessary. Only these two cookies
should therefore in principle be placed without the consent of the data subject. At
these, the Disputes Chamber repeats, the defendant does not put forward any arguments as to why the
other cookies that the Inspectorate detected, (also) if strictly necessary
are considered.
83. The Inspectorate supported the description of “strictly necessary cookies” on a
definition included on the website www.gdpr.eu , which contains strictly necessary cookies as follows
are defined:
“Strictlynecessarycookies -Thesecookiesareessentialforyoutobrowsethewebsiteand
use its features, such as accessing secure areas of the site. Cookies that allow web shops
to hold your items in your cart while you are shopping online are an example of strictly
necessary cookies. These cookies will generally be first-party session cookies. while it is
not required to obtain consent for these cookies, what they do and why they are necessary
should be explained to the user”. (own underlining)
In Dutch: “Strictly necessary cookies – These cookies are essential for you
surf the website and make use of its opportunities, such as visiting
from secure parts of the site. Cookies that allow web shops to put things in the basket
while shopping online are examples of strictly necessary cookies. This one
cookies will generally be first-party cookies. Although it is not required
to obtain consent for these cookies, the user must be explained
what they do and why are necessary.” (own translation and own underlining by the
dispute room)
The Disputes Chamber points out that the aforementioned definition was used to clarify the
findings of the Inspectorate. From the actual legal provision, Article 129 WEC, in
se be deduced the same.
84. For both the Le Vif and Knack websites, 2 cookies were deemed strictly necessary
qualified:
Le Vif Knack
OptanonConsent OptanonConsent
46A website subsidized by the EU under the Horizon 2020 Framework Programme., Decision on the merits 85/2022 - 31/58
PHPSESSID PHPSESSID
In order to classify the various cookies, the Inspectorate took the information into account
about the specific cookie on the website, the cookie bot report or a manual interrogation. 47
85. The Disputes Chamber points out that the defendant itself states in its statement of defense that
due to a lack of technical knowledge of the cookie tool OneTrustop used at the time
was poorly implemented. The defendant adds that cookies that would
have been placed. Moreover, during the hearing of the defendant, it appeared that
acknowledges that not strictly necessary cookies were placed without obtaining
with the consent of the data subjects.
86. On the basis of the above, the Disputes Chamber finds that an infringement was committed by the defendant
committed on Article 6 (1) point a) GDPR j° Article 129 WEC.
II.5.1.2. Placing statistical cookies without permission – observation 2
Inspection service
87. The technical analysis report of the Inspectorate shows that statistical cookies are used
posted before permission was obtained. From the then by the defendant
the usedcookie-setting tool turns out that statistical cookies are always active and that
they cannot be turned off.
88. The Disputes Chamber wishes to clarify that Article 129 WEC, which is a supplement and clarification
of the provisions of the GDPR, it appears that placing and/or reading cookies is
required by the data subject, unless the cookies are strictly necessary to enable the transmission of
to carry out a communication via an electronic communications network, or to expressly
provide the service requested by the user. The Disputes Chamber will state its position below:
clarify regarding the placement of statistical cookies.
89. In the decision on the merits 12/2019, the Disputes Chamber defined statistical cookies
as “collecting information about the technical data of the exchange or about the”
useofthewebsite(pages visited,averagedurationofthevisit,...)tothefunctionof
to improve [i.e. to learn how to use the website]. The data on
collected in this way by the website are in principle aggregated and become anonymous
processed but may also be processed for other purposes”. 48
47
For the classification of the different cookies, see p. 15-29 in Knack's technical report.
48GBA, decision on the merits 12/2019 of 17 December 2019, p. 31., Decision on the substance 85/2022 - 32/58
In the case in question, statistical cookies were also placed without prior notice
consent of the data subject. The Disputes Chamber then ruled that “according to the current
state of the law there is no exception for permission for “first party analytical”
cookies' exists, so that prior consent for the placement of such
cookies is indeed required”.9The Disputes Chamber indicated in the decision on the merits 12/2019
that also relates to an advice from the predecessor of the GBA (CBPL) that stated that it is "at the
legislator is to clarify the issue of the non-exemption of the consent of the
users in connection with the origin analysis cookies”.
The placement of "first party statistical cookies" was also not possible, according to the Disputes Chamber
be based on the legitimate interest of the website owner, given the
reading of Article 5(3) of the ePrivacy Directive.
90. Also at European level, the Article 29 Working Party already took a position in 2012
about the consent requirement for statistical cookies. It is clear that the working group 29 of
believes that “first party analytics cookies” are not exempt from the consent requirement
as they are not strictly necessary to expressly
requested function. According to the Article 29 Working Party, it is even the case that the user
can access all functions the website offers without any problems, even when such
cookies are disabled. 50She then additionally stated that “it is not probable, however”
[is] that first party analytics cookies pose a privacy risk if they are strictly
limited to aggregated statistics used for the website operators
by websites that provide clear information in their privacy policy about these cookies and appropriate
provide privacy guarantees”. The Working Group article 29 adds: “Should article 5, paragraph 3, of
Directive 2002/58/EC be revised, then it is appropriate for the European legislator to consider a
add a third waiver criterion for cookies that are strictly limited to cookies from the
first party for the purpose of anonymized and aggregated statistics”.
91. In summary, in its decision on the grounds of 12/2019, the GBA has taken the position that for
the placing of "first party analytical cookies" is in principle a prior
consent of the data subject is required.
49GBA, Decision on the merits 12/2019 of 17 December 2019, p. 31.
50Group Data Protection Article 29, Opinion 04/2012 on exemption from the consent obligation for cookies, 7 June
2012, 00879/12/NL, p. 11.
51It should be noted, however, that the process by which data is aggregated is in itself a processing of
personal data that must comply with data protection legislation, regardless of whether that process
indeed results in statistical data, see also recital 162 GDPR: “[…] The statistical purpose means that the result of
the processing for statistical purposes does not consist of personal data, but of aggregated data […]” (own
underline), Decision on the substance 85/2022 - 33/58
92. In its defence, the defendant cites that the statistical cookies are installed with the following:
exclusive purposes to collect aggregated basic statistics on usage
from its websites. Its cookie policy also stated the following about statistical cookies:
“Analytical and statistical cookies are always loaded, they are used to fully
gain anonymous insight into the way in which the website is used and which
pages are visited with frequency. This information is, among other things, necessary in the
framework of the CIM Internet Study and is used for traffic and profile analysis so that we
can tailor our work even better to your needs.” 52
93. The Disputes Chamber reminds that when statistical cookies are placed on the
terminal equipmentofaninternetuserareyyidentifiedwillbebebehanded
of IP addresses and other identifiers. 53 After all, the Court of Justice has, in its permanent
case law has always used a very broad definition of both “personal data” and of the
concept of “identifiability”. For example, she stated that "as long as information is due to its content, purpose"
or consequence, can be linked to an identified or identifiable natural person
54
by means that can be reasonably deployed, regardless of whether the information is
of which the data subject can be identified entirely from the same
controller is based or partly with another entity, this information serves as
be considered personal data”. 55
94. Based on the technical report of the Inspectorate for the Knack website (p. 15-29)
the Disputes Chamber establishes that for most statistical cookies the website operator either
has a unique identification number, or an IP address available when reading the
cookies. This is logical since only in this way the website can find out how often the website is visited
is used by the same user.
95. With regard to the IP address, the Disputes Chamber states that it is clear that this means that a natural
person can be identified. An IP address has already been designated by the Court of Justice
56
as personal data under the GDPR. Since the placement and reading of a
statistical cookie on the user's terminal equipment the website operator also the IP address in
available, it is also possible for the controller to inform the user
52
Piece 15 from the defendant's collection of documents.
53See recital 30 GDPR; Article 4(1) of the GDPR also explicitly mentions “an online identifier”.
54
CJEU Judgment C-434/16 of 20 December 2017, Nowak v. Data Protection Commissioner, ECLI:EU:C:2017:994, para. 35.
55 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43; CJEU
JudgmentC-434/16van 20December2017,Nowakt.DataProtectionCommissioner,ECLI:EU:C:2017:994,par. 31:seeoR.ZUIDERVEEN
BORGESIUS, “Singling out people without knowing their names – Behavioral targeting, pseudonymous data, and the new Data
Protectionregulation”,ComputerLaw&SecurityReview,vol.32-2,2016,pp.256-271;R.ZUIDERVEEBORGESIUS,”TheBreyerCase
of the CJEU – IP Addresses and the Personal Data Definition”, EDPL, 1/2017, pp. 130-137.
56CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43., Judgment on the merits 85/2022 - 34/58
identify. It therefore concerns the processing of information from an identifiable
person (by an online identifier, cf. Art. 4, point 1) GDPR).
96. With regard to the registration of a unique identification number, the Disputes Chamber refers to the
decision on the merits 12/2019 where a position has already been taken on the qualification of
a unique identification number. Here the Dispute Chamber decided that assigning a unique
identification number is a form of pseudonymization within the meaning of Article 4. point 5) GDPR. 57 Also the
Article 29 Data Protection Working Party has already expressed its opinion on the interpretation of the
58
concept of “pseudonymised data”. There she argued that pseudonymization is the concealment of
means one identity. The identities of persons can be identified through pseudonymization as
disguised in such a way that re-identification becomes impossible, for example by means of
one-way encryption, which in itself creates anonymized data. 59 Traceable
pseudonymised data can be considered information about an indirect
identifiable person and are therefore personal data within the meaning of the GDPR. 60 In case
by using a pseudonym, data can be traced back to the data subject, so that his/her
identity can be established, data protection rules apply. 61
Based on the settled case-law of the Court of Justice, the Disputes Chamber finds that the
it is possible to determine the identity of a data subject by combining the unique
identification number with other information that may or may not be obtained with the help of third parties
62
become. In this case, the unique identification number must be seen as personal data in
the meaning of the GDPR.
97. In view of the foregoing findings and the broad interpretation of the term
personal data, as confirmed by the case law of the Court of Justice of the EU,
the Disputes Chamber concludes that with regard to the statistical cookies (where there is always an IP
address of the user is available), a prior consent is actually required
is pursuant to Article 6(1)(a) GDPR in conjunction with the national implementing provision
of Article 5(3) of the ePrivacy Directive. After all, it concerns the processing of information from
an identifiable natural person through which the rules of the GDPR undoubtedly apply
are applicable. The lack of such consent on the Defendant's website for the
57According to Article 4.1.5 of the GDPR, “Pseudonymisation” is defined as “the processing of personal data in such a way that the
personal data can no longer be linked to a specific data subject without additional data
be used, provided this additional data is kept separately and technical and organizational measures are taken
are taken to ensure that the data is not given to an identified or identifiable natural person
be linked”
58
Working Party on Data Protection Article 29, Opinion 4/2007 on the concept of personal data, https://ec.europa.eu/justice/article-
29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.
59Ibid., p. 18-19.
60Ibid., p. 19.
61
The Court of Justice has stated in the Breyer judgment that “to determine whether a person is identifiable, it is necessary to
by any means which may be reasonably assumed by the controller,
or by any other person, can be used to identify the aforementioned person” (§42).
62 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 48, Decision on the merits 85/2022 - 35/58
Statistical cookies identified by the Inspectorate thus constitute an infringement of Article 6, paragraph
1, point a) in conjunction with article 129 WEC.
II.5.2. Pre-ticked boxes for the partners (Articles 4, point 11), 6, paragraph 1, point
a) en7(1) GDPR) – determination 3 Inspection service
FindingsInspection Service:
98. It appears from the Inspectorate's report that for Knack and Le Vif 449 “partners” or “vendors” per
default permission is given by pre-ticked boxes. This also turns out
clear from screenshots of the websites included in the technical reports of both Knack
as Le Vif:
99. The Inspectorate states that the GDPR is a “statement or an unambiguous active act”
required (article 4, point 11) GDPR), which means that all supply presupposes the permissions based on a more
implicit way of acting of the data subject, not in accordance with the standards of consent
of the GDPR. The Inspectorate relies on the Planet49 judgment, which made it clear that
Article 2(f) (definition of consent) and Article 5(3) (consent for cookies) of the e-mail
privacy directive, to be read in conjunction with Article 4(11) and Article 6(1)(a)
of the GDPR. The Court of Justice subsequently ruled that consent did not become legally valid
granted when the storage of information by means of cookies or access to already on the substance, Decision 85/2022 - 36/58
terminal equipment of the website user, information stored via cookies is
allowed by default checked checkboxes that this user must
tick off if he refuses to give his consent. In addition, the Inspectorate states that the
the defendant also fails to comply with the obligation to prove under Article 7(1) of the GDPR
that the data subject has given permission not to place strictly necessary cookies.
Defendant's position:
100. The defendant argues that the third finding of the Inspectorate is incorrect. She admits that the
partner companies within the OneTrust Consent management platform default to “active”
but that this did not mean that cookies are automatically set by these third-party partner companies
were installed. After all, according to the defendant, it was not a question of authorization to
placing cookies, but about an indication which IAB vendors could use
making a consent for one or more purposes, provided that this
permission was given. This would only be the case if the person concerned
accepted cookies within the cookie tool. The defendant is therefore of the opinion
that, in the light of the case law of the Court of Justice in the Planet49 judgment, the practice whereby
the cookies of partner companies are set to "active" by default, constitutes a valid consent in
within the meaning of Articles 4.11 and 6.1 a) GDPR.
101. The Disputes Chamber finds that the defendant indicates in its claims that its practice
has adapted on this aspect by implementing a new Didomi Consent
Management Platform in March 2020. None of the partner companies would currently
are automatically set to “active” and the user must now actively make a choice.
Position of the Dispute Chamber:
102. The Disputes Chamber will meet the criteria for a valid consent in this section. Article
4 pt. 11) GDPR defines “consent” of the data subject as “any free, specific,
informed and unambiguous expression of will with which the data subject by means of a
statement or an unambiguous active act concerning him/her processing of
accept personal data”.
103.Article 7 GDPR contains the conditions that apply to the consent:
1. When the processing is based on consent, the controller must
be able to demonstrate that the data subject has given consent for the processing of
his personal data.
2. If the data subject gives consent within the framework of a written statement that
also relates to other matters, the request for consent shall be
in an understandable and easily accessible form and in clear and simple language
presented in such a way that a clear distinction can be made from the others, Decision on the substance 85/2022 - 37/58
affairs. Where any portion of such statement constitutes an infringement
on this regulation, this section is not binding.
3. The data subject has the right to withdraw his consent at any time
of the consent does not affect the lawfulness of the processing based on the
consent before its withdrawal, without prejudice. Before being involved
consent, he will be notified accordingly. Withdrawal of consent
is as easy as giving it.
4. When assessing whether consent can be freely given,
among other things, the question of whether for the implementation of a
agreement, including a service agreement, consent is required for
processing of personal data that is not necessary for the execution of that
agreement.
104.In addition, Article 5(3) of the ePrivacy Directive, as transposed by Article 129 of the WEC establishes
the time of the inspection by the Inspectorate, the condition that the user "are
has given permission" for the placement and consultation of cookies on its terminal equipment,
with the exception of the technical registration of information or the provision of a service for which
the subscriber or end user has expressly requested and where the placement of a cookie
strictly necessary for that purpose.
105.Recital 17 of the ePrivacy Directive specifies that for the purposes of this Directive the
the term “consent” must have the same meaning as “consent of the data subject”, such as
63
defined and specified in the GDPR.
106.In the Planet49 judgment, the Court of Justice of the European Union set the consent requirement
for placing cookies after the entry into force of the GDPR. She stated that
explicit active consent is required: so “active consent" is indisputably required
according to the correct interpretation of the GDPR. 64 Recital 32 indeed provides that:
“Consent must be given through a clear active act,
for example, a written statement, also by electronic means, or an oral statement
statement, showing that the data subject is free, specific, informed and unambiguous
consent to the processing of his personal data. This could include the
clicking on a box when visiting an internet website, selecting technical
institutions for information society services or any other statement or
other act which clearly shows in this regard that the data subject consents to the
proposed processing of his personal data. Silence, the use of already
63
The GDPR as a replacement for Directive 95/46/EC.
64Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, para. 73, Judgment on the substance 85/2022 - 38/58
ticked boxes or inactivity should therefore not constitute consent. The permission
must apply to all processing activities that serve the same purpose or purposes.
If the processing has multiple purposes, consent must be obtained for each of them
granted. If the data subject has to give his consent after a request via electronic
resources, that request should be clear, concise and not unnecessarily disruptive to the
use of the service in question.” (the Disputes Chamber underlines).
107. On the basis of these considerations, the Disputes Chamber argues that the permission referred to in the
Articles 2(f) and 5(3) of Directive 2002/58, transposed into Article 129 WEC at the time of the
findings, read in conjunction with art. 4, par. 11 and art. 6 (1) point a) GDPR, not valid
is given by a standard checked box that the user must uncheck in order to
refuse to give permission (in this case it is therefore about giving permission to the
partners for one or more purposes for which permission must be given in another window
Be given). 65
108. In concrete terms, this means that the data subject must receive information about the way in which he/she is
wishes with regard to cookies, and how to “all, some or no cookies”
can accept.
109.For example, confirming a purchase or accepting the general
conditions are not sufficient to assume that valid consent has been given for
placing or reading cookies. Nor can permission be given for the
mere “use” of cookies, without any further specification of the data sent through this
cookies are collected or the purposes for which this data is collected. The GDPR
indeed requires a more detailed choice than a simple "all or nothing", but requires
no consent for each individual cookie. If the administrator of a website or mobile
application asks permission for different types of cookies, the user must choose
have to consent (or refuse) to any kind of cookie, or even, in a second
information layer with choices, for each cookie individually.
110. By using pre-ticked boxes, as set out by the Inspection Service in its
reports, the defendant commits an infringement of articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG,
as explained in recital 32 of the GDPR.
II.5.3. Disclaimer for third party cookies (potential violation of article 5, paragraph 2 and
7, para. 1 GDPR) – determination 4 Inspection service
65This is also related to the specificity requirement of the consent, cfr EDPB, Guidelines 05/2020 on consent
in accordance with Regulation 2016/679,
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf, § 50., Decision on the merits 85/2022 - 39/58
Determination of inspection service:
111.According to the Inspectorate, the defendant is trying to shirk responsibility
for third-party cookies that are placed when you visit the Knack and Le Vif sites.
112. For example, the cookie policy states that the defendant is not responsible for cookies set by third parties
are placed and managed, including cookies that enable
sharing information through social networks. The defendant also argues that it has no control over
certain cookies used on its website.
113. With regard to this aspect, the Inspectorate refers to the judgment of the Court of the Wirtschaftsakademie
of Justice which ruled that the owner of a website is responsible for the
processing of cookies that are installed or read from its website. 66 He picks up
at least part in determining the purposes and means of the processing of the
personal data of visitors to his website through third-party applications on his website
or to allow the distribution of the content of third parties in the advertising spaces of its website.
114.Then the Inspectorate refers to the accountability principle in Article 5, paragraph 2 of the
GDPR, which shows that the controller is responsible for compliance with the
principles governing the processing of personal data and must be able to demonstrate that these
principles are taken into account.
115. This practice employed by the defendant must also, and as discussed above, be
considered a violation of Article 7(1) of the GDPR, as a controller
must demonstrate that the data subject has given permission for the placement of cookies
from its website that are not strictly necessary.
Defendant's position:
116. The defendant is not responsible for the processing of cookies used by third parties in
be placed within the framework of the IAB TCF.
According to the defendant, this interpretation was also confirmed by the GBA in the current IAB
Europe research: “Belgium's Data Protection Authority found IAB Europe's Transparency and
Consent Framework does not meet several standards under the EU General Data Protection
Regulation, TechCrunch reports. The DPA determined the framework fails to comply with the
GDPR's principles of transparency, fairness and accountability. IAB Europe said in response it
“respectfully disagree[s] with the [Belgian DPA]'s apparent interpretation of the law, pursuant to
which IAB Europe is a data controller in the context of publishers' implementation of the TCF”.
117. Next, the defendant argues that, should the Disputes Chamber come to a different conclusion,
its practices nevertheless comply with Article 5(2) of the GDPR. The
66Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, inter alia para. 39, Judgment on the substance 85/2022 - 40/58
accountability means “(I) the need for a controller
to take appropriate and effective measures to implement the principles of
implement data protection”. 67There are no guidelines published by the DPA
clarifying what is meant by a minimum of appropriate and effective
measures. In addition, Roularta has chosen to use the IAB
Framework described as “the most sophisticated and scrutinized model of GDPR-
compliance for digital advertising in the world”. Roularta clarifies that the disclaimer does not de
intended to shirk responsibility, but rather to indicate that
it is unable to block cookies placed by third parties.
118. Passing responsibility in the cookie policy was not so much the intention
to abdicate responsibility, according to the defendant; to indicate that the
the defendant is technically not able to block cookies that are used by some third parties (in this case:
advertisers) are placed.
Advertisers and agencies can, when an ad campaign on one of the
Roularta sites, via that campaign launch cookies or scripts that are used by Roularta
impossible to know in advance.
119.The defendant states in its conclusions that the sentence in question was removed from the cookie policy
because since the IAB TCF framework it can be assumed that IAB vendors conform to this
frameworkdo not place any cookies or scripts unless there is both permission for the cookies and
the vendor concerned has been approved in the list of partner companies.
Position of the Dispute Chamber:
120. The Disputes Chamber does not agree with the defendant's contention that it does not
68
is responsible for the processing of cookies by a third party.
121.The responsibility of IAB Europe excludes the responsibility of other
controllers within the TCF framework. 69 The Disputes Chamber points
points out that the defendant must be seen as a (co-) controller in the
framework of TCF, because they are supposed to decide whether or not to immediately register
CMP work together, and are also able to determine which advertisers appear on their website or in
are allowed to offer their application advertising and which means (cookies) they can use for this
apply.
67 WP29, Opinion 3/2010 on the “Accountability Principle”13 July 2010, WP173, 10, available at:
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf.
68 Decision Disputes Chamber GBA 21/2022 of 2 February 2022, available via:
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf.
69, Decision on the substance 85/2022 - 41/58
122. The defendant states in its conclusion that, given the dominant position of IABEurope, it is obliged
was to implement the IAB TCF. The Disputes Chamber rules that this argument of the
defendant cannot be followed. In general, it can also be noted that there are
alternative providers are available on the market, quite apart from the fact that it is not true that there are
any obligation on the part of the defendant to make use of the offer
of IAB to facilitate advertisements through its websites. Roularta was free to choose
implement the IAB TCF and therefore bears responsibility for the consequences of that
implementation.
123. The Disputes Chamber rules that the defendant must be identified as
controller, which is also not disputed in this proceeding. if
controller is responsible for the processing of personal data and
it must be able to ensure compliance with the principles governing the processing of personal data
demonstrate. The defendant can therefore pass on the responsibility for the placement of cookies
third parties on its websites from its processing responsibility. Moreover
The cookie policy states that it has no control over certain cookies that are placed on its website
posted. However, it is up to the defendant as operator of the websites, and in this case as
controller under data protection law, to provide appropriate technical
and organizational measures to ensure that its processing activities in
are in accordance with the relevant legislation. Disclaiming responsibility for
the placement of cookies by third parties against data subjects for whom the defendant has been appointed
maybeas controllerisanviolationofarticle5,paragraph2GDPR,junctoarticle24
70
GDPR (accountability).
124. In summary, the Litigation Chamber concludes that the defendant's obligation rests upon it
to accountability (Article 5, paragraph 2, j° Article 24), by denying the
bear responsibility towards those involved.
II.5.4. Incorrect and deficient information (potential violation of Articles 4,
point 11), 12, paragraph 1, 13 and 14 of the AVG) -determination 5 Inspection service
125. The Inspectorate establishes a breach of the transparency principles of the GDPR by the
defective cookie policy of Roularta Media Group. For example, Article 12(1) of the GDPR provides that the
controller must take appropriate measures to ensure that the data subject is
including Article 13 of the GDPR mandatory information in a concise, transparent, comprehensible and
in an easily accessible form and in clear and plain language.
70 The obligation in Articles 5.2 and 24.1 of the GDPR means that the VV must demonstrate that it complies with the obligations of the GDPR
complies. If the VV fails to show this, there is a violation of these articles. See also:Article39DataProtectionWorking
Party, Opinion 3/2010 on the principle of accountability13 July 2010, 12, https://ec.europa.eu/justice/article-
29/documentation/opinion-recommendation/files/2010/wp173_en.pdf., Decision on the merits 85/2022 - 42/58
Articles 13 and 14 of the GDPR then determine which information must be provided
by the controller to the data subject. In paragraphs 1 and 2 of both articles
lists a list of information provided by the controller to the
person concerned must be given.
126. In order to clarify the relevant legislation, the Court of Justice in the Planet49 judgment also
clarifies how the controller should provide information before placing cookies
specify how long the cookies remain active and whether or not third parties can access the cookies
to ensure proper and transparent information (Article 5.3 ePrivacy Directive
with regard to the placing of cookies in conjunction with information obligations from art. 13.1(e) and art.
13. 2 (a) GDPR).
FindingsInspection Service:
127. The Inspectorate has established that there were shortcomings in the cookie policy:
▪ Defendant's cookie policy contains provisions that do not comply
with the GDPR. For example, the cookie policy speaks of implicit consent for cookies via the
access to the defendant's websites, which is contrary to the need for a
expression of will through a clear statement or positive act in accordance with Article 4,
point 11) AVG. It is also noted that for sharing data collected through
cookies, no specific consent is required, which is contrary to the specific
nature of the consent to a data processing in accordance with Article 4,
point 11) of the GDPR;
▪ The cookie policy would also lack clarity about the necessity of using
third-party cookies due to technical problems that have been going on for more than a year;
▪ The Inspectorate also notes that the names of the types of cookies in the cookie policy
do not match the cookie category names in the cookie setting tool,
which does not benefit comprehensibility;71
Cookie Policy Cookie Setting Tool
Necessary cookies Necessary functional cookies
7Inspection service,Technical investigation report on the use of cookies on the Knack website (document 6 administrative file),
39., Decision on the substance 85/2022 - 43/58
Analytical cookies Analytical cookies
Social Media Cookies Content Selection and Delivery and
report
Advertising cookies Advertising selection and delivery and
report
Content Personalization
Advertising and marketing cookies
▪ In addition, the cookie policy does not include information about the storage periods of
cookies. The Privacy Policy only states: “Roularta Media Group will not process your data
keep for longer than is legally permitted and than is necessary for the purposes
mentioned in this document”. The cookie policy also states: “the retention period differs
from cookie to cookie, in general, the cookie is stored until the user is
delete cookies.”
▪ The cookie policy mentions the use that the partners make of the “IAB Europe”
Transparency & Consent Framework” as a consent management tool, which ensures that
third parties comply with the GDPR, while of the 449 partners who are on the Knack and Le Vif sites
state 312 not or no longer validated by IAB;
▪ The user should refer to the policies of the 449 sellers to find out what
these companies do with his data and make an informed decision based on that
to give his consent. This is illusory and impracticable and, moreover, will
lead to the setting of even more cookies when visiting the links to this one
partners;
▪ Finally, it is determined that cookies are not individually documented, which means
the user is unable to control what is being done with their data.
In the privacy policy there is brief information about cookies:
Position of the Dispute Chamber:, Decision on the merits 85/2022 - 44/58
128. The Disputes Chamber finds that the defendant indicates in its claims that it
cookie policy has changed in certain aspects :72
- The statement that the defendant's registration system has been temporarily replaced by a technical
problem used third party cookies to log into the websites of the
Defendant is now removed (the problem would also have been resolved by moving to
a new registration software that only uses a purely functional cookie
to make sure users don't have to log in every time);
- In the update of the cookie policy dd. July 31, 2020 all cookies are correct
inventoried and documented.
Correcting some inaccuracies cannot undo the infringement of the past
Consequently, the Dispute Chamber is of the opinion that the defendant has a negligent attitude
on several aspects regarding its transparency obligation under
of Articles 12 and 13 GDPR.
129. First, the infringements are related to the incorrect information in the cookie policy.
In accordance with Articles 13 and 14 (respectively paragraphs 1 and 2) of the GDPR, the following information must be summarized:
be provided to the data subject: the name and contact details of the
controller, the reason why the data is processed, the retention period
of the personal data, with which companies/organizations the data is shared, as well as
the data protection rights of the data subject. With regard to this last element,
the Inspectorate determines that incorrect information has been given in the privacy policy of the
defendant, such as the existence of an implied consent contrary to the provisions
about this in the GDPR.
130. The Disputes Chamber states that providing incorrect information about the consent requirement in
the GDPR infringes Article 12(1) and Articles 13 and 14 of the GDPR.
131. Second, with regard to the mention of the temporary technical problem that caused third party
cookies were temporarily used to log in users. However, this problem could date from
19 November 2018, so that it is impossible to speak of a “temporary” problem (the
determination of the statement in the cookie policy dates from January 8, 2020). The Dispute Room
furthermore, considers that a technical difficulty does not constitute a violation of the rules of the GDPR
can justify, given that this is a long-term violation where major
numbers of those involved could be disadvantaged, and where the responsibility of the
controller for those activities cannot be negated in any way.
72see document 20 of the defendant's collection of documents: new cookie policy., Decision on the merits 85/2022 - 45/58
132. Third, regarding the inconsistencies between the cookie policy and the cookie management tool.
The defendant justifies this by alleging that it was obliged by IABEurope to use these terms
to be used in the consent tool, on pain of exclusion from the IAB TCF. She wanted in her own
cookie policy use more understandable terms. The Disputes Chamber understands the position of
Defendant with regard to the obligation to apply the terms proposed by IAB
Europe in its consent tool. However, this does not alter the fact that using different terms
in its privacy policy increases the ambiguity and in that sense not in accordance with the
providing information in “concise, transparent, comprehensible and easily accessible”
form and in clear and plain language” (Article 12(1) of the GDPR on the interpretation of Article 13
and 14 GDPR).
133. Fourth, regarding the lack of information about the storage periods of the cookies. The
The inspection service determined that there was only a statement in the cookie policy that the
retention period “depends from cookie to cookie”. The defendant argues that the views of the
Inspectorate that “no concrete information about the storage periods can be found” and that “the
cookie policy refers to a storage period that is in principle unlimited” are incorrect. she states
that in principle two types of information about the storage time of the cookies were included in
the cookie policy: (i) the fact that the retention time varies from cookie to cookie, (ii) the fact that the
user can disable cookies, resulting in a non-existent retention time.The Defendant
argues, therefore, that the Inspectorate went too far in stating that this information is equivalent to
an unlimited storage period.
134. The Disputes Chamber follows the defendant with regard to this last element. The information in the
cookie policy makes no mention of an in principle unlimited storage period. However, this takes
does not mean that the information in the cookie policy was insufficiently clear and transparent, given that
there was no indication whatsoever about the concrete retention periods, and therefore neither was this information
was available to those involved. Article 13(2)(a) GDPR and Article 14(2)(a) GDPR
clearly state that information must be given about “the period during which the
personal data are stored, or if that is not possible, the criteria for determining that
term". The Commission for the Protection of Privacy, the
legal predecessor of the GBA in accordance with art. 3 WOG, already issued a recommendation in 2017
Facebook regarding its cookie policy. In it, the Commission stated that the person concerned has clearly
and understandably must be fully and accurately informed about the retention period of
the data it collects via cookies.3According to the Commission, providing that information would
are also necessary to ensure informed consent and to
73CBPL, Recommendation no. 03/2017 of April 12, 2017 supplement to recommendation no. 04/2015 of its own accord with regard to 1)
facebook, 2) the users of the internet and/or Facebook as well as 3) the users and providers of Facebook services, in particular
social plug-ins (CO-AR-2017-004), Decision on the merits 85/2022 - 46/58
74
fair and lawful processing. The shortcoming would meanwhile
75
have been rectified by the defendant in its renewed cookie policy.
135. Due to the lack of clear and transparent information on the concrete
retention periods for the cookies placed on its website, as determined by the
Inspectorate, the defendant infringes Articles 13 and 14 j° 12(1) GDPR.
136. Fifth, as to the entry in the consent management tool related to the
use of the “IAB Europe Transparency & Consent Framework”. The defendant argues that it
this mention only wanted to increase transparency and inform the user about the
way in which it wants to control the use of cookies, namely by joining a
internationally recognized standard within the digital advertising world. The Inspectorate found
this mention in the privacy policy is insufficient to inform the 449 partners of both Knack and Le
Vif by default (it also appears from the Inspection Report that 312 of the 449
partners - the vast majority - are no longer validated by IAB).
137. From these elements, the Disputes Chamber infers that the information provided by the defendant to the
users thereby trying to create an appearance of respecting the rules
on data protection. It cannot be assumed that this entry de
transparency, all the more so now that it turns out that the information was also incorrect. For this reason
it must be noted that also on this point the information provided by the defendant
is not sufficiently clear and transparent under Articles 13 and 14, j° 12, paragraph 1 GDPR.
138. Sixth, with regard to the fact that the user of the website in principle follows the policy of the 449
should consult partners in order to know what happens with his data and in order to
to give informed consent on this basis. This redirect cannot be
accepted as the sole supporting element in the provision of information to data subjects, therefore the
de facto negates responsibility for information obligations for the
controller – which is not in accordance with the provisions of the GDPR
in this context. The fact that data subjects do not provide more concrete and clear information
have access to the use and further use of their personal data,
for this reason, an infringement of the information obligation under Articles 13 and 14 j° 12(1) GDPR.
139. Seventh, the Disputes Chamber deals with the findings of the Inspectorate regarding the
not individually documenting the cookies in the defendant's cookie policy.
The Disputes Chamber points out in this regard that in accordance with Articles 13 and 14, in conjunction with Article 12,
paragraph 1 GDPR, transparent information must be provided about cookies that contain personal data
collect or otherwise process. This requirement applies regardless of whether or not there is a
74
ibid.
75 Piece 20 of the defendant's collection of documents, Decision on the merits 85/2022 - 47/58
permission must be given for the installation and reading of such cookies, and therefore
also in the case of a strictly necessary cookie.
140.In the cookie policy there is only a limited number of informational elements about cookies:
Given the very limited information provided in relation to the list of cookies present, 76
the Disputes Chamber indisputably establishes a problem with regard to information obligations.
141.The following information should certainly be stated separately by category of cookies, so that
a cookie would be sufficiently documented: the personal data being processed, the
purposes of processing for such cookies and the retention period of such cookies (see
for this the information obligations in Article 13(1) and 14(1) GDPR). Since this information
is missing for each category of cookies used in the cookie policy, cannot be judged impossible
that the cookies were sufficiently documented.
142. The Disputes Chamber infers from the findings of infringements listed above that the
Defendant fulfills its obligation to provide information accordingly Articles 13 and 14, j°12, paragraph 1AVGophet
time of those findings. The Disputes Chamber emphasizes in this regard that the
The controller's responsibility is to ensure itself that the
website information provided is in accordance with reality, in accordance with the aforesaid
provisions in the GDPR. The Disputes Chamber refers here emphatically to the provisions of Articles 5, paragraph
2 and 24 GDPR established accountability.
II.5.5. Unjustified storage periods of cookies (Article 5(1)(e) GDPR) –
determination 6 Inspection service
143. Article 5(1)(e) GDPR provides that personal data may not be kept longer than
necessary to achieve the intended purpose (principle of “storage limitation”). The retention period may
therefore not unlimited. The information collected and stored in a cookie and the
information collected as a result of reading the cookie must be deleted
when it is no longer necessary for the intended purpose.
144. On the website of the GBA, the following is stated in the theme file “cookies” regarding
the storage period or lifespan of cookies:
76For an overview of the names of the installed cookies, and the findings regarding its flawed character, see:
Technical research report on the use of cookies on the Knack website, document 6 administrative file, p. 29 ff., Decision on the merits 85/2022 - 48/58
“A cookie that is exempt from the consent requirement must have a lifespan
directly related to the purpose for which it is used and to be
set to expire as soon as it is no longer needed, taking into account the reasonable
expectations of the average user. Cookies exempt from consent
are therefore likely to expire when the browser session ends or even earlier.
However, that is not always the case. For example, in the shopping cart scenario, a
retailer set the cookie to remain after the end of the browser session or
for a few hours to account for the fact that the user may inadvertently de
browser may close and reasonably expect to see the contents of the shopping cart
when he returns to the retailer's website a few minutes later. In
in other cases the user may expressly request the service for certain information
from one session to another, requiring the use of permanent
cookies is required.”7
145. From the technical analysis reports of the Inspectorate, both with regard to the Knack website
if this one from LeVif, it turns out that the effective storage periods for some cookies are unreasonably long
and that the cookies have a lifespan of several years. Below is an overview of cookies
with unreasonably long storage periods (expressed in days):
- UID: 720 days (Le Vif and Knack)
- _gfp_64b: 1000 days (Knack and Le Vif)
- OB-USER TOKEN: 90000 days (Knack and Le Vif)
- You: 730 days (Le Vif)
- Gdyn: 1698 days (Le Vif and Knack)
- Gtest: 1698 days (Knack)
146. The defendant argues that in the past the Data Protection Authority has not made any specific
has issued guidelines regarding the precise storage periods of cookies. This states that it
because of this uncertainty it was not clear to her what should be understood concretely
under “a lifespan that must not be longer than the time necessary to achieve the intended purpose
reach".
147. The Disputes Chamber points out, however, that the lack of guidelines from a supervisory
government cannot be used by a controller as a reason for the
non-compliance with the provisions of the GDPR. 78 Indeed, there is, in accordance with the provisions of Article 5,
77
https://www.dataprotectionauthority.be/professioneel/thema-s/cookies. The Disputes Chamber underlines.
78See also above, part II.3 of the present decision, Decision on the substance 85/2022 - 49/58
paragraphs 2 and 24 GDPR, obliged to ensure itself that
the processing of personal data carried out by him takes place in accordance with the provisions
of the GDPR and must be able to demonstrate this.
148. In addition to the foregoing, it should be noted that, if the defendant
was the opinion that the lifespan of certain cookies and the retention period of the cookies via these cookies
personal data collected was proportional, could have demonstrated this if desired
or could have argued in the course of the proceedings why it is of the opinion that the
retention periods do meet the requirements of Article 5(1)(e) GDPR. The defendant did
this however is not.
149. The reports of the Inspectorate also show that the lifespan of certain cookies in
case is manifestly disproportionate and can in no case be considered proportionate to
the purpose pursued. In this context, particular reference should be made to the cookie
“OB-USER-TOKEN”, with a lifespan of 90,000 days or approximately 246 years.
150. The defendant argues in its response that the retention period as established in
its privacy policy means that the placed cookies are stored until they are
user will be deleted. 79 The defendant submits that the Inspectorate's finding,
according to which the retention periods would be “indefinite”, is therefore not correct.
151. While it is true that the defendant has not argued that it is an unlimited
storage period, it is true that it is not clear proactive recording of (criteria for)
the concrete retention periods constitute an apparent shortcoming in the light of the principle
on storage limitation.
152. On the basis of the above, the Disputes Chamber finds that the defendant has committed an infringement
committed on Article 5(1)(e) GDPR.
II.5.6. Non-compliance with the withdrawal of consent (Article 7(3)GDPR) -
determination 7 Inspection service
153. Pursuant to Article 7(3) of the GDPR, the data subject has “the right to give his or her consent at any time”
to withdraw. Withdrawing consent does not affect the lawfulness of the processing
of the consent before its withdrawal, without prejudice.
he shall be notified thereof. Withdrawing consent is as easy as
giving it.”
79Cf. statement of response defendant, p. 32, no. 86 et seq., Decision on the substance 85/2022 - 50/58
Establishments Inspection Service: 80
154. It appears from the technical analysis report on Le Vif's website that: 81
- when the inspector surfed to the site, 60 cookies were detected before the
permission was given;
- when the inspector gave his consent for all cookies in the cookie consent tool, there
147 cookies were detected;
- when the inspector wanted to return to the selection screen (consent tool) to
withdraw permission, it was confronted with a black screen, after which the
website blocked:
The Inspectorate therefore determined that it was impossible to obtain the consent
Pull.
155. For the Knack website, the Inspectorate established that: 82
- when taking steps 1 to 15 (in step 15 all cookies were accepted), 86
cookies were detected;
- in step 24 (deleting the cookies and reloading the web page): number of cookies 73→
step 25 (allow all cookies again and reload the page): number of cookies 85 →
step 26 (return to minimum cookies and reload): number of cookies 88;
Between step 24 “all cookies” and step 26 “minimum cookies” the number of cookies does not decrease,
on the contrary, the number of cookies is increasing.
80 Report of the Inspectorate, document 10, p. 30, with reference to the findings in the technical investigation reports
in that regard.
81Page 36 of Le Vif's technical analysis report.
82
For an overview of all the steps taken by the Inspectorate, reference is made to pages 31 to 33 of the
technical analysis report., Decision on the substance 85/2022 - 51/58
156. In addition, it appears from the Inspectorate's technical analysis report that the withdrawal of the
Consent is more difficult than giving it:
- For LeVifiser even an impossibility to withdraw the consent
(see above).
- For Knack it appears that adjusting the permission is only possible by using the
“footer” clicking on “cookie settings”:
Defendant's position:
157. In its statement of defense, the defendant submits, with regard to the . described above
findings of the Inspectorate regarding the withdrawal of the permission that certain
of these problems are due to an unfortunate configuration of the OneTrust cookie tool, which
used by the defendant at the time of the findings. She states in this regard
more specifically that, firstly, when implementing the aforementioned tool, there is no correct technical link
was made between the consent given or not and the first party cookies used by the site
were placed themselves. It states that with regard to the cookies placed by advertisers, the
consent was correctly enforced by applying the IAB TCF. The Defendant
adds that the aforementioned issue was resolved by the implementation on March 31, 2020
of the CMP Didomi.
158. Second, with regard to the Inspectorate's determination according to
which for the website www.levif.be gets a black screen when trying
withdraw permission, that this can also be explained by a configuration problem of
the OneTrust cookie tool. The defendant argues that it was, however, its intention to insert
from the tab “more info and configuration” allow users to give their consent for free
to change. She regrets that the Inspectorate was confronted during its investigation
with a black screen instead of the affected setup screen. 83
Position of the Dispute Chamber
159. On the basis of the findings of the Inspectorate, the Disputes Chamber establishes the above
evidence presented as well as the statements of the defendant establish that there are more steps
are necessary to withdraw consent than to give consent. This is not in
in accordance with Article 7(3) of the GDPR, which states that the withdrawal of consent is equally
should be as simple as giving it.
160.The fact that technical problems arise during the withdrawal process
permission, indicates that the correct technical measures have not been taken to ensure that a
83 Conclusion of the defendant's reply, p. 33., Decision on the substance 85/2022 - 52/58
data subject can withdraw her or his consent at any time. In addition, it appears that even when
it creates the appearance for the data subject that she or he has withdrawn consent, the
technical situation does not change to a basic situation, but on the contrary, more cookies that
processing personal data can be detected on the Knack website.
161. Therefore, the Disputes Chamber with regard to both Knack's and LeVif's websites
a breach of Article 7(3) of the GDPR.
III. Infringements and sanctions
162. In summary, in the present case, the Disputes Chamber finds infringements of the following provisions in the main:
from the defendant:
- Article 6(1) of the GDPR, read in conjunction with Article 129(2) of the Act on
electronic communication (current article 10/2 of the law of 30 July 2018 on
the protection of natural persons with regard to the processing of
personal data 84), due to the placement of not strictly necessary cookies on her
websites www.knack.be and www.levif.be without permission being obtained.
In accordance with the aforementioned provisions, the processing of personal data requires
prior consent by placing and/or reading cookies
of the data subject, unless the cookies are strictly necessary to 1) the transmission
of a communication over an electronic communications network or 2) to
to provide a service expressly requested by the user. From the findings of
the Inspectorate and the documents in the file show that on both aforementioned websites
cookies were placed that cannot be regarded as strictly necessary and this
without obtaining the user's consent. It was also determined that
statistical cookies were placed without the user's consent. The
the defendant neither denies nor refutes the aforementioned finding in its statement of defense
and during the hearing.
- articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG, as explained in recital 32 of
the AVG, because of not meeting the conditions regarding permission contained
in the aforementioned provisions. In particular, it was found that on the websites
www.knack.be and www.levif.be At the time of the research, use was made of
so-called “pre-ticked boxes”, where the cookies of the partner companies
were marked as “active” by default. However, this can in no way constitute a valid
84BS 5 September 2018., Decision on the substance 85/2022 - 53/58
consent within the meaning of Art. 4, point 11) GDPR for the placement of cookies
(i.e. “any free, specific, informed and unambiguous expression of will with which
the data subject by means of a statement or an unambiguous active
accepts any act concerning him/her concerning the processing of personal data"). This one
practice is also contrary to the case law of the Court of Justice of the European Union
85
(Judgment Planet49 ).
- Articles 5(2) and 24 GDPR, due to the publication of a disclaimer on the
websites concerned where the defendant claims that it is not responsible for the
placement of third-party cookies on these sites, including in the context of the
use of the IAB Transparency and Consent Framework. This statement of the
the defendant is, however, contrary to the case-law of the Court of Justice of the
European Union in the Wirtschaftsakademie judgment, 86 in which the Court held that the
owner of a website is responsible for processing by means of cookies
who installs or reads his website. This attitude of the defendant is therefore contrary to
with Article 5, paragraph 2 j° Article 24 GDPR, according to which the controller
is responsible for compliance with the provisions of the GDPR and demonstrating
of this.
- Articles 12(1), j° 13 and 14 GDPR, as the way in which the information is sent to the
data subjects was provided does not meet the requirement of a "transparent,
comprehensible and easily accessible form". It was first established that the
privacy policy contained incorrect information, including regarding consent to the
use of cookies, as well as with regard to the need to accept
third party cookies. The privacy policy also did not include, at the time of the survey,
full listing of the different types or categories of cookies that have been
posted. Nor did this policy contain sufficient information regarding the (criteria for
determination of the) lifespan of the cookies placed and the retention period of the thus
collected data, as however required by articles 13, paragraph 2, point a) and 14, paragraph 2, dot
a) GDPR. The privacy policy also did not contain information regarding the processing by
partners, allowing those involved to follow the policies of a large number of partners and vendors
should consult in order to obtain this information.
- article 5, paragraph 1, point e) GDPR, due to non-compliance with the principle of storage limitation.
A cookie must have a lifespan that is directly related to its purpose
85
CJEU, C-673/17, 1 October 2019, ECLI:EU:C:2019:801.
86 CJEU, C-210/16, 5 June 2018, ECLI:EU:C:2018:388., Judgment on the merits 85/2022 - 54/58
what it is used for and should be set to expire when it is not
longer, taking into account the reasonable expectations of the user.
- Article 7, paragraph 3 of the GDPR, for failure to ensure that the withdrawal of the
consent to the placement of cookies is just as simple as granting it.
More specifically, it is established for the website www.levif.be that the withdrawal of the
consent is technically impossible via the cookie management tool, because this management tool
blocks and a black screen appears. From the technical analysis of the website
www.knack.be it appears that the withdrawal of consent is ineffective, as it
number of cookies does not decrease after returning to the minimum choices. The Defendant
neither denies nor refutes this finding and states in its reply that this
problem was due to a bad configuration of the
cookie tool OneTrust.
163. As a result of these infringements, the Disputes Chamber decides to impose a
administrative fine of EUR 50,000 to the defendant for the aforementioned infringements. The
The Disputes Chamber also decides to order the defendant to process the
align personal data with the applicable provisions of the
data protection legislation within a period of 3 months from the date of
receipt of the present decision.
164. It should be noted in this regard that the administrative fine is not for
to end an offense committed, but vigorously enforce the rules of
the GDPR aims. Indeed, as can be seen from recital 148 of the GDPR, the GDPR presupposes that in any
serious infringement – thus also in the event of an initial finding of an infringement – penalties, including
87
administrative fines, in addition to or instead of appropriate measures.
Hereafter, the Disputes Chamber shows that the infringements committed by the defendant of the
the aforementioned provisions of the GDPR in no way concern minor infringements, nor that the fine
would cause a disproportionate burden to a natural person as referred to in recital 148 AVG,
where in either case a fine may be waived. The fact that it is a first
determination of a breach of the GDPR committed by the defendant, thus raises
87
Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties, including
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in lieu of appropriate
measures imposed by the supervisory authorities pursuant to this Regulation. If it is a small
infringement or if the expected monetary fine would cause a disproportionate burden and on a natural person, instead of a
fine are chosen for a reprimand. However, the nature, severity and duration of the
the infringement, with the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility,
or with previous relevant infringements, with the manner in which the infringement came to the attention of the supervisory authority, with
compliance with the measures taken against the controller or processor, with the affiliation with
a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including
administrative fines must be subject to adjusting the procedure and guarantees in accordance with the general principles
of Union law and the Charter, including an effective remedy and a fair administration of justice. [own
underline], Decision on the substance 85/2022 - 55/58
in no way prejudice the ability of the Disputes Chamber to file an administrative
impose a fine. The Disputes Chamber imposes the administrative fine in application of
Article 58(2)(i) GDPR. The instrument of administrative fines in no way serves the purpose
to end infringements. To this end, the AVG and the WOG provide for a number of corrective
measures, including the orders referred to in article 100, §1, 8° and 9° WOG.
165. Taking into account Article 83 AVG, the Disputes Chamber motivates the imposition of a
administrative sanction in concrete terms:
a) the nature, seriousness and duration of the infringement (Art. 83.2 a) GDPR): the infringements found
include a violation of the provisions of the GDPR relating to the
principles of data protection (Art. 5 GDPR) and the lawfulness of processing (Art.
6 (1) GDPR) as well as transparency (Art. 12 et seq. GDPR). A violation of the aforementioned provisions gives
subject to the highest fines in accordance with Art. 83(5) GDPR.
It should also be noted the scope of the processing in terms of number
involved. The websites concerned belong, according to figures from the Center for Information
about the Media (CIM) among the twenty most visited media websites in Belgium, increasing the number of
stakeholders can by definition be called significant.
b) the previous relevant infringements by the controllers (Art. 83.2 e) GDPR): the
defendant has never been the subject of an enforcement procedure of the
Data Protection Authority.
h) the way in which the DPA became aware of the infringement (Art. 83.2 h) GDPR): the infringements
were not reported by the defendant but were established in the context of an investigation
by the Inspectorate on the own initiative of the GBA Management Committee.
166.On April 20, 2022, a sanction form (“form for response against intended sanction”)
forwarded to the defendant. In this sanction form, the present decision
infringements, as well as the amount of EUR 50,000 that is the intended amount for the fine
applies. On 11 May 2022, the defendant submitted its response to this sanction form to the
Dispute room.
167. In summary, the defendant states in this reply:
(1) According to the defendant, the infringements occurred only for a limited period of time, since
the defendant only used the OneTrust cookie tool for 7 months.
88As well as the case law of the Marktenhof, cf., among others, the Brussels Court of Appeal (Markenhof section), X. N.V. t. GBA, Judgment 2020/1471
of 19 February 2020., Decision on the substance 85/2022 - 56/58
2) According to the defendant, the Disputes Chamber incorrectly refers to a “large number”
parties involved”, where, according to the defendant, the Disputes Chamber does not demonstrate which
concrete order this goes. According to the defendant, the CIM ranking gives “no”
indication of the number of visitors”, or those involved – as only the visits are
measured. After all, multiple visits can be attributed to the same
data subjects, inter alia because data subjects access the defendant's websites via various
visit devices.
3) The defendant also states that it has complaints relating to the methodology
which determines the amount of the fine, and makes the comparison with the
fines imposed abroad for similar infringements. It also states that the proposed
fine is “disproportionate” to the modest turnover that its (investigated) websites
collected from digital advertisements.
4) Finally, the defendant states that the turnover to which the sanction form refers is this
of the entire group, and that this turnover may not be fully taken into account for
the calculation of the fine, as not all subsidiaries are part of
“same economic unit”.
168. As regards the defendant's first argument in its reply to the fine form,
the Disputes Chamber refers to the findings made by the Inspectorate on a
number of concrete points in time within the period of its investigation. The fact that a change in the
management of the defendant's websites took place after these findings,
without prejudice to the infringements established at those times. It is true that the
The Disputes Chamber can take into account an improvement of
the situation during the procedure with the Data Protection Authority, but this is required
admittedly that the defendant indicates inconcreto why and how a certain changed situation
can be considered a mitigating circumstance. In this regard, the defendant does not demonstrate that it
longer use of the OneTrust cookie tool means that the situation for data subjects in the
processing of personal data has subsequently been improved.
169. With regard to the second argument, the Disputes Chamber points out that, although the CIM figures
to which, among other things, the Inspectorate referred to in its reports does not provide a concrete indication
of the number of people involved, these figures do provide a general indication of the
popularity of news websites. The fact that the various organs of the
Data protection authority not demonstrating in concrete terms how many data subjects are affected
by the activities of a particular controller against which a
enforcement proceedings are underway, does not mean that indications of the magnitude of
the number of persons involved may not be relevant for the determination of the seriousness of one or more
multiple breaches of personal data protection legislation, in particular the, Decision on the merits 85/2022 - 57/58
impact on a certain order of magnitude on those involved. A comparison can be made with
a situation in which the number of persons involved cannot be accurately determined, but where there is
are indications of the concrete number of those involved. 89 Mutatis mutandis shows the fact that the
defendant the (generally stated) order of magnitude of the number of data subjects who use its websites
visit, dispute, without providing any evidence to the contrary that it concerns a different order,
insufficient to explain why the CIM figures cannot provide an indication of the magnitude of the
number of stakeholders.
170. As regards the third argument relating to the amount of the fine, the
The Disputes Chamber points out that placing cookies in this matter is a commercial matter for the
defendant, in which it has significant financial interests in acquiring the
linked ad revenue. The Disputes Chamber refers, for informational purposes, to the
directives on administrative monetary sanctions, which were in force at the time of the determination of the
90
Inspection service, and the transfer of the fine form, had not yet been accepted.
171. As a fourth argument, the defendant cites that the Disputes Chamber does not demonstrate that the
companies that fall under its umbrella group, are part of
the same economic unit. The Disputes Chamber points out in this regard that during the
proceedings have arisen against the defendant as a group, and in the proceedings also the defendant
appointed in that capacity. In addition, the defendant refers in its reply to
the sanction form itself to itself under its legal form as a group, without distinction
between the alleged various economic activities, or without
present as part of a (segregated) economic activity. The Dispute Room
emphasizes that it can impose fines on the basis of the turnover of a full
91
company, which is undeniable of the group as a legal entity. Superfluously
the Disputes Chamber points out that supervisory authorities have the power to –
subject to adequate justification – to impose fines of up to 10,000,000, resp. EUR 20,000,000,
irrespective of the size of the undertaking, but depending on the type of infringement. 92
172. The whole of the elements set out above justifies an effective,
proportionala deterrent sanction as referred to in article 83 AVG, taking into account the
certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.
89Dispute ChamberGBA,Decision4/2021of27January2021,46;an appeal againstthisdecisionwasdeclaredunfounded;Court
of Appeal Brussels (Marktenhof), 7 July 2021, 2021/AR/320.
90
Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 16 May 2022, available at:
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en.
91Article 83, paragraphs 4, 5 and 6 GDPR.
92
Ibid., Decision on the merits 85/2022 - 58/58
GDPR in this case are not of a nature that they lead to an administrative fine other than that
which the Disputes Chamber has determined in the context of this decision.
IV. Publication of the decision
Given the importance of transparency with regard to the decision-making of the Disputes Chamber,
this decision is published on the website of the in accordance with Article 95, §1, 8° WOG
Data protection authority with indication of the identification data of the defendant and
this because of the specificity of the present decision – which means that even in the case of
omission of identification data makes re-identification unavoidable or at least very
probable – as well as the public interest of this decision.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- pursuant to Article 58, paragraph 2, point i) j° Article 83 GDPR and Article 100, §1, 13° WOG a
to impose an administrative fine of EUR 50,000 for the violation of Article 6(4)
1 GDPR j° Article 129 WEC; Articles 4(11) j° 6(1)(a) and 7(1) GDPR; Articles 5, paragraph 2
and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR.
- order the defendant pursuant to Art. 58, paragraph 2, point d) GDPR and Art. 100, § 1, 9° WOG
to the processing of personal data in the context of which various infringements
were established in the present decision and for which pursuant to the first
indent of this operative part a fine was imposed, to be brought in line with
the provisions of the AVG within a period of 3 months to be calculated from the receipt of
the decision on the merits and to provide evidence thereof.
Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a
period of thirty days, from the notification, to the Marktenhof, with the
Data Protection Authority as Defendant.
(Get). Hielke Hijmans
Chairman of the Disputes Chamber
