APD/GBA (Belgium) - 11/2022
|APD/GBA (Belgium) - 11/2022|
|Relevant Law:||Article 4(1) GDPR|
Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 5.3 ePrivacy Directive
|National Case Number/Name:||11/2022|
|European Case Law Identifier:||n/a|
|Original Source:||https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-11-2022.pdf (in EN)|
|Initial Contributor:||Matthias Smet|
The Belgian DPA issued a reprimand against a website owner for violating Article 12 and Article 13 GDPR and ordered them to comply with their processing register.
English Summary[edit | edit source]
Facts[edit | edit source]
The respondent owns a website 'YourOnlineChoices', through which data subjects can control their ad experience online. When browsing the web and visiting different websites, they can control which non-essential (e.g. for advertising purposes) cookies they accept or refuse. If they choose to turn off interest-based advertising, they still see advertisements on the internet, but these are not adapted to their suspected interests or preferences.
Holding[edit | edit source]
On cross-border processing - competence of the Belgian DPA
The DPA first had to determine whether it was competent.
According to Article 56 GDPR "the supervisory authority of the main establishment[...] of the controller shall be competent to at as lead supervisory authority for cross-border processing[...]". The Belgian DPA was found to be competent because the defendant had its sole place of business in Belgium, although its activities were deemed to substantially affect or be likely to affect data subjects in several Member States, including Germany.
Obligation to set cookies in order to select advertising preferences on the website & "Cookie wall" practice (violation of Article 7 GDPR) - Complaint not upheld
Second, the DPA had to determine whether the operator of the website lawfully placed a cookie on the complainant's device.
The complainant argued that their consent was not freely given because they could not have used the website without giving it. Indeed, in its recent guidelines, the EDPB condemned the practice of making the provision of a service or access to a website conditional on accepting the placement of non-necessary cookies on the user's device.
However, in this case the cookie in question was strictly necessary for the functioning of the website. The respondent indeed showed that the fact that the cookie needed to be placed in order to use certain parts of the website (namely the homepage / terms and conditions / Protecting your privacy-page) and thus the legal basis in order to process this personal data and place this cookie was not consent, but legitimate interest of the data controller (Article 6(1)(f) GDPR)
Third, the DPA assessed whether it was lawful to place the aforementioned cookie without providing certain information about such processing.
The DPA restated that the purpose of the transparency principle is that the data subject should be able to determine what the scope and consequences of the processing encompass before it occurs. Thus, controllers are required to at least provide information on (i) the duration of the operation of cookies and (ii) whether the cookie is a first or third party one.
Thus, the Belgian DPA issued a reprimand to the operator of 'YourOnlineChoices.com' for violating Article 12 GDPR and Article 13 GDPR and ordered them to comply with their processing register - specifically to mention the third party countries personal data was sent to.
Additionally, the Belgian DPA also shares some interesting insights regarding the processing of cookies:
- definition of 'trackers';
- different types of cookies;
- valid consent under GDPR and ePrivacy Directive - transparency obligations
Comment[edit | edit source]
This decision of the Belgian DPA differs from others because it provided a significant amount of background and additional information regarding 'best practices' when using cookies.
Side note for discussion: The investigation service of the Belgian DPA stated about 'non-identifiable information to analyse site activity to improve navigation' that 'although this information is not identifiable, it is still considered personal data'. How does this reconcile with the definition of 'personal data' in Article 4(1) GDPR that clearly refers to 'identified or identifiable natural persons'?
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.