BlnBDI (Berlin) - 521.14877.15

From GDPRhub
Revision as of 15:56, 26 September 2023 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BlnBDI - 521.14877.15
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 7 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.09.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 521.14877.15
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: BInBDI (Germany) (in DE)
Initial Contributor: mg

In one of the cookie banner mass complaints filed by noyb, the Berlin DPA found that collection of consent by the controller did not fully comply with the GDPR. However, given the improvements in the cookie banner, the DPA did not adopt any corrective measure.

English Summary

Facts

This decision was adopted in the context of the cookie banner mass complaints filed by the NGO noyb.

In 2021, the data subject visited a website managed by the controller. According to the data subject, the cookie banner designed to collect users’ consent did not comply with the GDPR. In particular, there was no option to reject cookies on the first layer of the banner, but only a link to a second layer. Moreover, the design of the banner was deceptive. Finally, the controller had not implemented a floating button to withdraw consent, in violation of Article 7(3) GDPR, which states that it shall be as easy to withdraw as to give consent.

After the data subject lodged a complaint with the Berlin DPA, the controller changed the design of the cookie banner. More precisely, the link to reject cookies was moved from the explanatory text to a more visible area of the banner. The controller also provided a link on the bottom of the webpage, from where it was possible to open the second layer of the cookie banner and withdraw consent. This was not a floating button. Finally, the controller deleted all the data concerning the data subject.

Holding

The Berlin DPA stressed that the collection of a valid consent shall meet the requirements set in Article 7 GDPR.

Concerning the existence of a rejection button on the first layer of the banner (‘violation type A’ according to the EDPB cookie banner task force), the DPA clarified that such an option is necessary only insofar as the cookie banner prevents the user from interacting with the webpage. In the case at issue, both 'accept' and 'reject' option were provided in the first layer, despite their different design. Therefore, violation type A did not occur.

Concerning the alleged deceptive design (‘violation types C, D, E’), the DPA stressed that Article 4(11) GDPR requires that consent collected by the controller shall be freely given, specific, informed and unambiguous. In particular, ‘freely given’ means that the rejection of consent shall not entail an extra effort by the data subject, as in the case of a reject-button on a second layer of the banner (where the accept-button is on the first), the case of a link hidden within the main text of the banner, or the case of a reject-button which is visible only after scrolling the banner (where the accept-button is immediately visible). In other words, violations concerning deceptive design occur when the option to reject is not clearly offered on the first layer of the banner. That being said, the DPA endorsed the idea that the GDPR does not contain fixed requirements for the design of cookie banners: compliance with the regulation should be assessed on a case-by-case basis.

In the present case, the DPA noticed that the controller moved the reject-button from the text to the bottom of the banner, next to the accept-button. It was not necessary that both options were equivalent or designed in the same way. The DPA also pointed out that this design solution was the dominant one on the market and consequently users could find the reject option where they expected to find it.

However, the DPA found that consent was not ‘informed’, as both the cookie banner and the privacy policy of the controller were incomplete and did not provide sufficient information about the processing activities that followed the collection of the cookies.

Concerning the option to withdraw consent (‘violation type K’), the DPA stated that a floating button is not necessary. Nevertheless, in the case at issue the DPA held the option to withdraw consent not sufficiently clear, as the withdraw-button could be find only after a difficult search on the controller’s website. Therefore, Article 7(3) GDPR was not respected and violation type K occurred.

Notwithstanding the violations identified, the DPA decided not to further proceed against the controller, as the latter had meanwhile brought its banner in compliance with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Berlin representative for
          a
            Data protection and
            Freedom of information


 Berlin Commissioner for Data Protection and Freedom of Information
 Alt-Moabit 59-61, 10555 Berlin
                                                                                  521.14877.15
 NOYB - European Center for Digital Rights Business name:
                                                          Department:
 By email (PGP encrypted): Processor: XXXXXXXXX

 XXXXX Phone: XXXXXXXX
                                                         Extension number: 332


                                                          Date: September 19, 2023





Closing message
Your submission of August 10, 2021 on behalf of XXXXXXXX

Your reference: C-037-10365 regarding mirapodo.de




 Ladies and Gentlemen


 We hereby inform you of the completion of our review process, based on

the above Entry has been initiated. This final message was the sighting of the

Website used by the complainant XXXXXXXX on April 9, 2021. In the
As a result, there was a violation, which we pointed out to the person responsible

have. After the violation was immediately remedied upon our request,

We have, at our best discretion, refrained from doing so

to take supervisory measures.


Reason:



l. We discovered the following facts:




Berlin Data Protection OfficerTelephone: 030 13889-0 Email: mailbox@datenschutz-
                                                                 berlin.de
and Freedom of Information (BlnBDl) Fax: 030 215 50 50 Website: www.datenschutz-berlin.deAlt Moabit 59-61, 10555 Berlin Office hours: Mon.-Fri. 10 a.m. - 3 p.m., BERLIN
Entrance: Alt-Moabit 60 Thursday 10 a.m. to 6 p.m., or by appointment
     1. Subject of input


 On August 10, 2021, you complained to us that on the website mirapodo.de,

 which is operated by myToys.de GmbH, illegally uses cookies and similar
 Technologies are used and personal data streams to third-party servers

 take place. In your submission you stated that the complainant accessed the website on
 April 9, 2021. The complainant discovered that he was

 Obtaining consent for the use of cookies, etc. a banner was displayed. The

 Banner contained explanatory text including a link in the body text with the name
 "Reject cookies" and a large red button labeled "OK" and a link

 "Settings" below the text.




                                          Cookies wrinkled'






 We could not clearly determine from the description of the facts in the submission whether,

 when and how the complainant uses the banner “while visiting the website”.

 has interacted.


 According to your review, effective consent was not obtained with this banner because
 There was no reject option at the first level (“violation type A”). In addition, the link,

 Color and contrast design is misleading (“violation types C, D and E”). Nevertheless, on the

 Cookies have already been set on the complainant's device "while visiting the website".
 and data has been disclosed to third parties. After all, revoking consent is not the case

 was as easy as granting it, since the website operator did not activate the option,
 to display a small, permanently visible "floating" symbol with which the banner can be displayed

 can be called up again (“Violation Type K”).


 The complaint was accompanied by technical documentation about which cookies are on the

 The complainant's device was set and which http requests and responses

 between his browser and third-party servers. Accordingly, among other things, to
 Connections between his browser and servers of adnxs.com, adsrvr.org, doubleclick.net

 and





                                                                                       Since 2 of 17 criteo.com and cookies named "uuid2", "uid", "IDE", "T DD" and
 “TDCPM” is set on his device. A unique user was created in the cookies

 Identification number (UD) is stored. When visiting the website it was
 The port used is assigned the IP address XXXXXXXXX.



 Before you lodge a complaint with us, you have already contacted the website operator yourself
 used to highlight the themes of the complaint. The website operator has this
 responded on June 29, 2021 and informed you that there were visual changes on

 banners were made. In your submission you therefore stated that you were aware of it
 be that the person responsible is responsible for his behavior regarding violation types C, D and E according to you
 I have set a speech.


    2. Background of the input


The disputed submission is part of a NOYB project. On May 31st and August 10th
In 2021, NOYB has on the website https://noyb.eu/de/noyb-sets-dem-cookie-bannerwahnsinn-
final information about the project is published. Accordingly, NOYB has in one

First step up to 10,000 websites that use the consent management provider OneTrust,
scanned automatically using self-developed software, i.e. H. regardless of the visit
of the websites by a (affected) natural person. The publication also states

explains that the system used by NOYB “automatically generates complaints” and
       The companies then receive an informal draft complaint, a step-by-step

Step-by-step instructions (PDF) on how to adjust your software settings and 60 days time,
to cooperate."


As of May 31, 2021, NOYB initially has 560 website operators where one or more of the
Self-categorized violation types were detected, "warnings" and

“Draft complaints” were sent and the operators were asked to change the cookie banners according to the
to redesign the requirements formulated by NOYB. In the event that this is not within
If the deadline was set, NOYB announced that it would lodge a formal complaint with the

to submit to supervisory authorities. In August 2021, NOYB then has a total of 422 complaints
sent to several European supervisory authorities.


On March 4, 2022, NOYB announced in a website post that it would accept an additional 226 complaints

Submit cookie banners to a total of 18 supervisory authorities

 (https://noyb.eu/de/weitere-226-complaints-against-irrefuehrende-cookie-banner-

 submitted), which was finally implemented on August 9, 2022. With this one
 The follow-up project followed the same approach as the audit in the year

 2021.




                                                                                    Since 3 of 17The disputed entry relates to a website visit on April 9, 2021 and

was submitted to the Berlin Commissioner for Data Protection on August 10, 2021
Freedom of Information (BlnBDl) filed. The entry is therefore obviously part of the first

complaint action. The input is therefore obviously also the aforementioned
standardized and (at least partially) automated testing, which is the

Complainant carried out on behalf of NOYB.


    3. Investigation by the BlnBDl


According to Article 57 Paragraph 1 Letter f of the General Data Protection Regulation (GDPR), it is the responsibility of the
Supervisory authorities deal with complaints from data subjects and the subject matter

to investigate the complaint to an appropriate extent. Against this background we have

The submission was used as an opportunity to view the website yourself on March 23, 2022 and the
document the situation encountered. The descriptions are from the input

partially confirmed.


When the website was accessed, the following banner was displayed at the bottom

Design has changed since the complainant was seen.


             BOOTS BOOTSFTTFN
                                           Would you like cookies?

           store and/or retrieve "P-address, user ID, browser information). The data is used for personalized ads and content.
                                            Advertising and
           Incarceration measurements as well as to gain insights into target groups and product developments. By clicking on the “Reject cookies” link you can


                     refuse consent. More information can be found under .More information•,

The banner does not fundamentally block access to the page content, i.e. H. the content,
that are visible despite the banner can be clicked on. However, it will be about 1/3 of that

Website area covered by the banner and still displayed on all subpages,
as long as no decision has been made.



 Contrary to what was stated in the input, we could not determine that the link, color and
 Contrast design was changed. There was still a big button with the Be

 "OK" was displayed under which there were links. However, the position of the

 The “Reject cookies” link was changed. This was no longer included in the body text, but instead
 directly under the button next to the “Settings” link.



We were able to determine that immediately when the call was made and before any
Interacting with the content of the website both sets cookies on our devices

as well as data flows to domains outside of mirapodo.de.
In addition, 22 cookies were from your own domain and 9 more from

mytoys.de, which is evident from the names of the cookies, among other things. also
                                                                                      Page 4 of 17 were used for analysis purposes. If you clicked on the "OK" button in the banner,

A total of 100 cookies were set on the visitor's device, including: from the domain of

adnxs.com, adsrvr.org, doubleclick.net, criteo.com, adform.net and theadex.com.


After all, we were only able to access the website based on the instructions that the company gave you

with a letter dated June 29, 2021, within the almost 40 DinA4 pages

Data protection declaration you will find a link labeled “here” to view the banner again

to access and revoke your consent.


When viewing the website, we checked other circumstances

data protection concerns have been encountered, which, however, are not the subject of the above.

input were.



In a letter dated March 29, 2022, we contacted the website operator with ours
Observations confronted and our assessment pointed out (see immediately under 11).On

our address was the banner, the integration of third-party services and the content of the

Privacy policy revised. After initially still having questions regarding the integration

individual third-party service providers passed, an oral consultation took place in January 2023
representatives of myToys.de GmbH. The website operator then has more

Changes etc. on the information texts, the duration of individual cookies and the

Website architecture made.



During a recent review of the website by us, we were able to identify the deficits that were the subject of the

o.g. Input were no longer reproduced. Meanwhile, when you access the web
A slightly different banner is displayed at the bottom of the page:



                                                                                       % More filters
    winter shoes women; Brand shoe size color information a Gerst
                                                                                 personalized ads:
                                            Would you like cookies? and click on the link
                                      Consent .Additional roomFŽ for one to save
                               urtc.yot:ier to retrieve {iP-Aúresse. User information, browser information. Barley-
          Advertisements and identifiers). is carried out for and around findings 'about Zietgrupper;
                                Winning and learning product developments. More information about consent iirkž.
         and to






The banner contains three interactive elements labeled “Agree”, “Cookies
reject" and "More information". The button in the banner that gives consent

can be failed, works according to its labeling. The services provided when visiting

The website was loaded by the complainant could only be done after a request was issued

Consent can be established.


                                                                                        Since 5 of 17 there has also been a link labeled “Cookie Settings” in the footer of the website
implemented so that the second level of the banner can be called up again at any time and the

Consent given can be revoked by clicking on the “Reject all” button.


Finally, we received a binding confirmation that all data had been deleted
using the information provided by the complainant

database could be identified.


    4. Cooperation of the supervisory authorities concerned

The European Data Protection Board approved it in September 2021 on the basis of

Art. 70 Para. 1 lit. u GDPR initiated a working group (“Banner Taskforce”) in which the BlnBDl
together with representatives of supervisory authorities from several other Member States

was involved (https://edpb.europa.eu/news/news/2021/edpb-establishes-cookie-
bannertaskforce_en).The exchange in the banner taskforce serves, among other things, to ensure that the NOYB

Complaints lodged with various supervisory authorities should, if possible, be carried out simultaneously
are treated and evaluated and thus the most uniform implementation possible

data protection requirements in the European Union are ensured. On the 18th
In January 2023, the results report of the Banner Taskforce was published (Report of the work

undertaken by the Cookie Banner Taskforce, https://edpb.europa.eu/our-work-
tools/ourdocuments/other/report-work-undertaken-cookie-banner-taskforce_en). In this

report


 represents the common (minimum) consensus that the supervisory authorities have within the

 the complex legal framework surrounding the use of cookies.


 Il. From a legal perspective, we assess the facts identified as follows:

     1. Right to lodge a complaint


In principle, every person can apply for a data protection agreement in accordance with Art. 77 GDPR.
Complain to the supervisory authority if that person's personal data is stolen from someone

other things, it may be processed unlawfully. The regulation states a
The express right to complain to a supervisory authority is therefore only available to natural persons

Persons whose data is processed in a form that the person either directly
is identified or at least can be identified directly or indirectly.


Those under 1.2. The backgrounds of the input shown make it questionable whether the

The process must be treated as a formal complaint within the meaning of Art. 77 GDPR. For it
There are indications of doubt as to whether the complainant even has a terminal device

was affected or whether a device provided by NOYB was used

                                                                                     Since 6 of 17 was. It is undisputed that the accesses and calls documented using the HAR archive
have taken place, but it can be questioned whether this is actually done on a device
of the complainant were made.


As a result, it cannot be determined with certainty whether actually

personal data of the complainant i. S.v. Art. 4 No. 1 GDPR were processed,
or whether it was rather data from a “laboratory device”. It is undisputed that the

Processes as documented by the HAR archive have taken place and data
were processed. However, it can be questioned whether the UlDs in the respective

Cookies that were stored were or rather were already assigned to a natural person
were generated as part of the automated testing process and therefore have no reference to the
complainant as a natural person.


Although the result remained unclear as to whether the personal data would be processed

of the complainant is in question, the matter will be treated as a complaint as a precautionary measure.


    2. Examination standard


Using cookies and similar technologies, such as those regularly used on websites
information can be stored, enriched and enriched on the users' devices
to get managed. In practice, these processes often serve to influence individual behavior

Users - sometimes tracked across different websites and devices
and, if necessary, to create profiles about a person.


Regardless of the technical design or the purposes pursued

Collection and further processing of this information usually takes place in a uniform manner
perceived fact of life. Legally, however, there are two steps to take here

differentiate. Firstly, the storage and access to information in the
Terminal equipment and secondly the processing of personal data, which is often

the purpose of the use of cookies and similar technologies. The
The legality of this (subsequent) processing depends on the requirements of the

GDPR. The upstream technical processes - especially setting and reading
of cookies - but also affect the integrity of the end devices and thus fall

originally in the regulatory area of Directive 2002/98/EC as defined by the Directive
2009/136/EC amended version (so-called ePrivacy Directive).


       a. Legal framework until December 2021

According to a 2019 assessment by regulators, it was for websites
relevant Article 5 Para. 3 ePrivacy Directive has never been adequately implemented into national law -

also not by the regulation contained at the time in Section 15 Paragraph 3 T MG: “The service provider

                                                                                     Since 7 of 17 may be used for advertising, market research or needs-based design purposes
Create telemedia usage profiles when using pseudonyms, provided the user
does not contradict this." Therefore, questions of application have arisen since the GDPR came into force

Related to the design of websites. The regulators had this before
Background in March 2019, an orientation aid for providers of telemedia (OH Tele-

medien 2019) was published, which was intended to help website operators comply with the legal requirements
implement requirements. The orientation aid revealed that the use of cookies

and third-party services on websites from the perspective of the supervisory authorities as a whole based on the
The requirements of Article 6 Para. 1 GDPR had to be measured.


       b. Legal framework after December 2021
With effect from December 1, 2021, Art. 5 Para. 3 ePrivacy Directive was replaced by Section 25 of the

Telecommunications Telemedia Data Protection Act (TTDSG) implemented into German law.
Since then, its requirements must be taken into account when using any technology

whose information is stored in or read from end devices. With
In view of the new legal situation, the OH Telemedien was completely revised in 2019 and a

new guidance published by the supervisory authorities (OH Telemedien 2021
Version 1.1, available at https://www.datenschutzsammlung-

online.de/media/oh/20221130_OH Telemedien_Version_1.1.pdf).


       c. Processes at the time of entry
 The complaint relates to a visit to the website on April 9, 2021 and thus

 a point in time when the TTDSG had not yet come into force. An assessment of the

 The website visit at that time can therefore only be based on the requirements of the GDPR
 take place.


The use of cookies and subsequent data processing described in the above-mentioned. Input criticized
and which were partly confirmed by our own website inspection

advertising-related purposes. These processes required prior consent
the website visitors. Such consent is only effective if

Requirements in accordance with Article 4 No. 11 GDPR are met. Accordingly, the declaration of intent must
voluntarily for the specific case in an informed manner and unambiguously in the form of a

Statement or other clear confirmatory action has been made.
Article 7 GDPR also provides further conditions, including: for the revocation of consent.


The questions underlying the procedure included: Subject more comprehensive

Coordination of the European and German supervisory authorities, from which the
The assessment criteria relevant for supervisory purposes can be derived as follows.


          (1) Examination standard for “violation types A, C, D and E”

                                                                                    Since 8 of 17 After your review, the displayed banner did not give effective consent
obtained because there was no reject option at the first level ("Violation Type A")

Link design (“Violation Type C”), the button colors (“Violation Type D”) and the button contrast
is misleading (“violation type E”). These violation types all concern the design of the

Banners on the disputed website.


From the perspective of the supervisory authorities, there is no rejection function at the first level of a banner
generally required, but only if users use the consent banner

need to interact in order to continue visiting the website. Unless through the banner no
Website areas are blocked and the content is accessible, therefore no action by the website

If users are required, a rejection option at the first level may be unnecessary.


 Likewise, a rejection function at the first level is not necessary once consent has been given
 can be given at another level. It is therefore a question of design

 Consent banner and an individual case analysis (OH Telemedien 2021 Version 1.1 Rn. 122).


 The requirements for the design of the decline option are not stated literally
 the law, but is derived from the individual elements of an effective

 Consent, in particular the fact that it is voluntary, informed and
 must be done unambiguously.



Whether an unambiguous declaration of intent exists when end users give their consent
via a button also depends on whether they have their true will

could express directly or clearly recognize how the true one was
will can be expressed. The evaluation therefore takes into account how
Buttons for giving consent and further options for action are labeled and

are designed and what additional information is provided.


In order to be able to prove that users have made an unambiguous declaration of intent

have submitted, they must be offered at least such selection options,
whose communication effect is equivalent. If a selection option is presented precisely and
       it creates an immediate effect (e.g. an “Accept All” button) while

the other option is kept nebulous and does not allow the true contrary will
with the same effort, there is a deficit of effect and information. One like this

Deficit is suitable for encouraging users to not base their decision on their own
clear will, but only according to which option the consent query is chosen

definitely finished faster. There will be no equivalents for the users
Options for action are offered to grant or reject consent

The requirements for effective consent are not regularly met (OH Telemedien 2021
Version 1.1 Rn. 44 ff.).


                                                                                      Page 9 of 17 When assessing whether the consent was given voluntarily, it must first be clarified whether
There was at all an obligation for the end users to make a declaration, or

whether they could have remained inactive. It can be assumed that such coercion
exists if a banner or other graphic element is used to request consent

Access to the website as a whole or parts of the content is obscured and the banner is not
can simply be closed without a decision.


The characteristic of voluntariness is noticeably influenced when the rejection of all

Access requiring consent means measurable additional effort for end users.
Such additional effort is e.g. B. generated by the rejection only on a second banner

level and therefore only possible with a higher number of clicks (compared to consent).
mung). If users do not respond to a consent query when accessing a telemedia offering

If you can simply ignore it because it obscures the content of the offer, it is therefore regularly missing
on the voluntariness of consent if the refusal is granted with a higher

effort, e.g. B. in clicks and attention (OH Telemedien 2021 Version 1.1
54, 56 f.).


In cases where there is an interactive element at the first level of the banner with which

Since consent can be refused with one click, this alternative is crucial
is clearly recognizable, easily perceivable and unmistakable. The possibility, none

Giving consent must clearly be considered an equivalent alternative to the “Consent
grant". What is crucial is that the alternative to consent as such
can be perceived by users. For example, it is not sufficient if:

the option to refuse is displayed outside of the consent banner on the website
or this in the running text of the banner without clear visual or linguistic emphasis

Identification takes a back seat while the possibility of granting consent
appears prominently as a button outside of the body text. Also an identical button

However, the option is only visible after scrolling through the consent text
for consent is visible directly at the beginning of the banner is not an equivalent alternative

easily noticeable (OH Telemedien 2021 Version 1.1 Rn. 132 ff.).


With regard to the criticized violations types C, D and E, it is therefore relevant whether 'despite the
selected design, color and contrast settings can be recognized by website visitors,

that there is a possibility to use the banner at the first level without giving consent
close.


The criteria for determining when design options unduly influence users, so that

can no longer be assumed to be a voluntary and unmistakable act
o.g. Banner Taskforce stated in its findings report as follows:



                                                                                     Since 10 of 17 TYPE D & E PRACTICES: "DECEPTIVE BUTTON COLORS" &

                     "DECEPTIVE BUTTON CONTRAST"

                lt appears that the configuration of some cookie banners in terms of colors and contrasts of the
                buttons (contrast ratio between the accept button and the backeround" type D practice) could lead
          15- to a Clear highlight of the "accept all" button over the available options,


                The taskforce members agreed to examine type D and E practices together as the issues are linked
                and raise similar points of discussion,
          16.
                The task force members agreed that a general banner standard concerning color and/or contrast
                cannot be imposed on data controllers, in order to assess the conformity of a banner, a case-by-case
          17. Verification must be carried out in order to check that the contrast and colors are not used
                misleading for the users and do not result in an unintended and, as such, invalid consent from therm

                As a result, it was also agreed that a case-by-case analysis would be necessary to address specifically
                casese although same examples of features manifestly contrary to the ePrivacy Directive provisions
                have been identified

                Based on concrete examples, the taskforce members took the view that at least this practice could be
                manifestly misleading for users:
          18- an alternative action is offered (Other than granting consent) in the form of a button where
                        the contrast between the text and the button background is so minimal that the text is

                        unreadable to virtually any use

                While the design choices above are considered problematic, the taskforce members reiterated that
                each specific cookie banner needs to be assessed on a case-by-case basis,
          19-

The statements underline that there is no general standard with regard to the

design of colors and contrasts, but must always be examined on a case-by-case basis.

The members of the task force were of the opinion that only then would a clearly inadmissible

Design exists if a button is displayed as an alternative to granting consent,
where the contrast between the text and the background of the button is so low that the

Text is unreadable for virtually every user. In all other cases an individual examination is required

to be carried out in which it must be clarified whether the users have been blatantly misled.


This corresponds to the assessment standard that the German supervisory authorities already use

Paragraph 125 of the above Orientation aid telemedia have described: “There is no general one

Standard for the design of consent banners in terms of color, size or contrast,
so that there is a certain amount of leeway for those responsible. A behavior control through the

Design, which is commonly referred to as nudging, is therefore not generally impermissible. She

However, it finds its limits where the requirements for effective consent are met

of Art. 4 No. 11 and Art. 7 GDPR are no longer fulfilled. If this limit is exceeded
"Inadmissible nudging can be assumed."



             (2) Examination standard for “Violation Type K”





                                                                                                             Page 11 of 17As a condition of effective consent, Art. 7 Para. 3 GDPR also requires the following:
“The data subject has the right to withdraw their consent at any time. The revocation

“Consent must be as simple as giving consent.”



According to your assessment, withdrawing consent was not as easy as giving it
the website operator did not activate the option, a small, permanently visible

to display a "floating" symbol with which the banner can be called up again

(“Violation Type K”).



The European supervisory authorities apparently share this view
following statements from the results report of the Banner Taskforce:



          9/31 TYPE K PRACTICE: "NO WITHDRAW ICON"

                It appears that where controllers provide an option allowing to withdraw consent, different forms of
                options are displayed. In particular$ some controllers have not chosen to use the possibility to show a
                small hovering and permanently visible icon on ali pages of the website that allows data subjects to

          32. return to their privacy settings, where they can withdraw their consent.

                Website owners should put in place easily accessible solutions allowing users to withdraw their
                consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on
          33. a visible and standardized place.

                The ePrivacy Directive's reference to consent in the GDPR includes both a reference to the definition of
                consent (article 4 of the GDPR) as well as to the conditions of it (article 7 of the GDPR)
          34.
                In addition to the requirements for the collection of consent to be valid in accordance with the GDPR
                andunderArticle5(3)ePrivacythreeadditionalcumulativeconditionsaremandatory(i)thepossibility
                to withdraw consent, (ii) the ability to withdraw consent at any time, {iii) withdrawal of consent must
                be as easy as to give consent.
         35.
                However, website owners can only be imposed that easily accessible solutions are implemented and

                displayedonceconsenthasbeencollected,buttheycannotbeimposedaspecificwithdrawalsolution,
                and in particular to set up a hovering solution for the withdrawal of consent to the deposit of cookies
                and other trackers. A case-by-case analysis of the solution displayed to withdraw consent will always
                be necessary. In this analysis, it must be examined whether, as, a result, the legal requirement that it
                is as easy to withdraw as to give consent is fulfilled,




This corresponds to the assessment standard that the German supervisory authorities already use
Paragraph 60 of the above Orientation aid telemedia have described: “If links

Direct the user directly to the option of revocation and currently none

If searches are necessary, a directly discoverable revocation option can also be found in one

Data protection declaration can be placed."


      3. Evaluation in the specific case


The data protection assessment is based on the current status and design of the

Internet presence as shown in the complaint documents and ours

                                                                                                       Page 12 of 17 has (partially) confirmed my own viewing of the website. The above Findings show that
Processes requiring consent when the complainant visits the website

took place.

It can be left open whether these processes take place before or without interaction or only after clicking on the

Buttons "Accept" took place. Because we could not determine that the design of the
Banners was clearly suitable for obtaining effective consent for this.


 For all website visits made by the complainant or ourselves

A banner was displayed on mirapodo.de, the design of which made it possible to use the same banner
Effort (1 click) to give or refuse consent. Users were able to log in there

You can decide to access the contents of the website without any additional effort
to give consent. However, the complainant has - based on the

Banner design during his visit - complains that the consent option is colored,
functional and clearly highlighted in terms of dimensions. Consent could be obtained via

a large red button will be issued, while rejection will not have a colored one
highlighted link in the continuous text was possible.


It turns out to be of limited importance whether this integration of the link into the banner text is ensured

that consent was given voluntarily and unambiguously. After the above
The standard of review presented is crucial that the alternative to consent as such

can be perceived by users. It is not sufficient if the
Possibility to reject in the running text of the banner without clear visual highlighting or

linguistic identification takes a back seat. However, the link was in the text
at least clearly labeled and underlined (“reject cookies”)

It should also be taken into account that neither the German supervisory authorities nor the courts are involved
decision-relevant point in time, d. H. in April 2021, not yet to such
had expressed design details. Rather, the focus was on the supervisory authorities

Statements at the time were intended to raise awareness of the fact that website operators
any functional one

Provide an option at the first banner level to refuse consent.

From the perspective at the time, the design cannot clearly be viewed as a violation
become.


The website operator has this link, which was previously in the running text, to the address

of the complainant visually shifted before the complaint was filed. He is
Since then it has been directly under the red button. We could not determine that the chosen

Design, color and contrast settings are a voluntary and unambiguous decision
exclude. The alternatives are (at least) since the redesign as such at a glance
recognizable. All interactive buttons are located outside the body text and stand out

stands out from the white background. The fact that the elements do not change this does not change anything

                                                                                      Since 13 of 17 are presented completely identically. The test standard here is, as shown in 11.2.c.(2), the
actual perceptibility, i.e. H. whether the options can be recognized as such. This is

In this case, yes, even if the option to reject is not framed or otherwise
highlighted in color.


The evaluation must also take into account the expectations of average users,

who are used to having all the options available due to banners currently available on the market
can be found under the banner text and are often shown in different colors. In which

The banner to be evaluated here also does not need to be scrolled. That works too
Alternative to consent is not in the running text or is located somewhere else,

where this is not expected. Finally, the rejection is caused by the different
Color design is also not complicated. The decline option is where

Users expect.


A certain amount of attention from users may also be required.
Otherwise, all requirements for informed consent would also be included

Running on empty. It is therefore reasonable for average users to use the various options
read - otherwise users would also have two identically designed alternatives

you don't necessarily have to choose the reject option.


However, it proved to be problematic with the previous one as well as the modified one
Design so that the consent button only had the label “OK”. What significance

resulting from clicking the button was not clear from the name "OK".
nor was the function clearly explained in the text of the banner. This design

could therefore not ensure beyond doubt that there was unambiguous consent for the
Processes that took place after clicking the "OK" button were obtained.


Regardless of the design of the selection options, we could not determine that the

Information provided in the banner and in the privacy policy for everyone
Processing processes ensure that consents are informed. The to

The information provided was sometimes incomplete or contradictory
regarding the processing purposes, the legal basis and third-party service providers.

For example, in the banner on the fifth level, consent was required
“Marketing” lists a cookie called “fbp” that is used by Facebook.

According to the information in the data protection declaration (there under 4.4.6.1.), services were provided by
However, Facebook is based on legitimate interests. These contradictory statements left

cannot be clearly resolved based on the information on the website. At the same spot
There was also information about a cookie called "FP Nitro", which is located under

First-party cookies were listed, but came from the domain yomonda.de. About this
Cookie, which was also set on our device, was simply told that it was used


                                                                                     Since 14 of 17 “Marketing” and will be set for 3660 days (and therefore over 10 years!). In the
There was no further information about this in the data protection declaration. The ones from this

The resulting information deficits or ambiguities influence the level of information
Consent and justify insufficient information according to Articles 13 and 14 GDPR.


Finally, the possibility of revoking the consent given was designed in such a way that several

Intermediate steps and searches were required. We first had to get the data
Call up the privacy policy and then click on the -36-page privacy policy link
can be found with the designation “here” in order to call up the banner again or

 to declare the revocation (under subsection 4.1 or 4.4 of the data protection declaration). That these
 We only discovered that this possibility even exists because the website operator told us so

The complainant explained in a letter dated June 29, 2021. Such a search process as
An intermediate step is to make the revocation more difficult, which is by no means as easy as this

the granting of consent using a button in the banner. The requirements of Art. 7 Para. 3 GDPR
were therefore not fulfilled on the website.


III. Result


As a result, the design of the website corresponded with regard to the use of cookies

subsequent data processing does not comply with the legal framework applicable at the time
the input applied. However, the website operator immediately responded to our request

reacted and took measures to remedy the deficits. As part of ours
We therefore use our discretion to refrain from taking further supervisory measures

Art. 58 Paragraph 2 GDPR. However, we reserve the right to take further supervisory measures if a
Recurrence is detected.


The subject matter of the above We therefore consider the complaint to be resolved. As far as that

Design of the website, additional deficits in the course of the review
has disclosed, the proceedings will be continued ex officio.


Legal appeal

An action against this decision before the Berlin Administrative Court is admissible. she is
within one month of the announcement of this decision at the Berlin Administrative Court,

Kirchstraße 7, 10557 Berlin, in writing - also as an electronic document using a
qualified electronic signature (GES) - or for the recording of the clerk or

to the clerk. It should be noted that in writing
The deadline for filing a lawsuit is only met if the lawsuit is filed within this deadline

administrative court has received.

XXXXXXX


                                                                                     Since 15 of 17