DSB (Austria) - DSB-D130.1174
From GDPRhub
| DSB - DSB-D130.1174 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 3 GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 17 GDPR Article 19 GDPR Article 77(1) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 19.09.2023 |
| Published: | 16.02.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | DSB-D130.1174 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | RIS (in DE) |
| Initial Contributor: | ec |
The DPA ordered the controller to change its cookie banner to include an option to reject consent on the first layer. The GDPR was considered applicable even if the website did not offer good or services in the EU, as cookies monitor the behaviour of data subject in Europe.
English Summary
Facts
The controller runs a website that offers news relating to fitness and sport. The website also refers to web shops of other companies where customers can buy the products presented. After pressing the button “Shop” on the British website, website visitors have the option of ordering a print editions of the articles available online to Austria. The website is not available in German.
The data subject visited the website of the controller on 24 September 2021. The website displayed a cookie banner. The data subject claimed that due to the design of the aforementioned cookie banner, several infringements had occurred and no valid consent was obtained. After visiting the website, cookies with unique, randomly generated values were set and read on the data subject’s device.
The data subject, represented by noyb, filed a complaint at the Austrian DPA (“Datenschutzbehörde”), requesting that the controller ceased all relevant processing activities and to erase all relevant personal data.
The controller argued that the GDPR did not apply as it does not consciously and intentionally offer goods and services in the EU under Article 3(2)(a) GDPR. The controller claimed it undoubtedly exclusively addresses the US market. Therefore, the controller argued that there was no reason to make extensive changes to the design of the cookie banner. The controller also claimed that it complied with the market standard and the relevant guidelines of the GDPR.
By 11 May 2023, the controller did erase all personal data of the data subject. The controller did not inform the recipients of the data transfer about the erasure of the personal data.
Holding
The DPA first examined whether the processing activities fell within the territorial scope of the GDPR under Article 3 GDPR. The territorial scope of the GDPR applies if the processing activities are related to the offering of goods (Article 3(2)(a) GDPR) or the monitoring of the behaviour of data subjects (Article 3(2)(b) GDPR).
Regarding the processing of data to offer goods or services, Recital 23 explains that the mere accessibility of the controller’s website is not a sufficient indication of the territorial scope of application. Other factors such as the use of a language commonly used in one or more Member States combined with the possibility to order goods and services in that other language may indicate that the controller intends to offer goods or services to persons in the EU. The DPA found that because the print subscription can be ordered only via a British link, it cannot be inferred that the website is aimed at a European audience, but rather that the British website has a European focus.
Regarding the behavioural observation, both Article 3(2)(b) GDPR and Recital 24 do not expressly require a necessary degree of “targeting” on the part of the controller to determine whether the monitoring activity would trigger the application of the GDPR to the processing activity. The use of the word “observation” implies that the controller pursues a specific purpose when collecting and subsequently reusing the relevant data on the behaviour of a person in the EU. According to the DPA, all forms of tracking and profiling on the internet using analysis tools are therefore covered by the GDPR, such as cookies that enable the individual traceability of users or pursue the purposes of individualised advertising (targeted advertising). Therefore, the DPA found that the processing activity of the controller did fall within the territorial scope of the GDPR, as cookies with unique, randomly generated values were set and read on the data subject’s end device as a result of visiting the website.
The DPA also held that the material scope of application of the GDPR was fulfilled as cookies that contain a unique, randomly generated value and that are set with the purpose of individualising and singling out persons entail processing of personal data under Article 4(1) GDPR.
The DPA then examined whether valid consent had been obtained by the controller for the setting or reading of cookies. There was no possibility at the first level of the cookie banner to reject consent or to enter the website without giving consent. The banner only had the option to refuse consent on the second level after clicking “LEARN MORE” at the first level. Taking into account the CJEU case C-252/21, a procedure, in which data subjects are required to carry out more interactions for not giving consent than for giving consent, cannot comply with the principle of fair processing pursuant to Article 5(1)(a) GDPR. The DPA held that both “Accept” and “Reject” option should be visible at the first level. The DPA therefore found that no unambiguous expression of consent pursuant to Article 4(11) GDPR had occurred and thus, the cookie banner did not comply with the requirements of the GDPR. The DPA ordered the controller to modify the cookie banner in such a way that a valid consent is obtained when visiting the website.
Moreover, the DPA held that the cookie banner itself did not contain a simple and clear notice explaining where consent can be withdrawn. The DPA therefore ordered the controller to adapt its website in such a way that the revocation of consent for cookies used and the associated processing of personal data is easily possible.
The DPA further explained that the use of cookies which are not technically necessary for the use of a website requires prior consent. The controller’s use of analytics cookies cannot in any case be considered technically necessary cookies. Therefore, the DPA ordered the controller should adapt its website accordingly to ensure that prior consent is obtained for the use of such analysis cookies and the associated data processing.
As no valid consent was obtained, the controller was obligated to erase the data in accordance with Article 17(1)(d) GDPR. The controller did not store the personal data of the data subject at the time of the DPA’s examination of the complaint, because it had already erased the data. Therefore, the DPA held there was no violation of Article 17 GDPR.
The controller was obliged to inform the recipients about the erasure of data pursuant to Article 19 GDPR. The controller did not provide the DPA with evidence proving compliance with the notification obligation in Article 19 GDPR, even though the controller bears the burden of proof under Article 5(2) GDPR in conjunction with Article 24(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Text
GZ: 2023-0.632.875 of September 19, 2023 (case number: DSB-D130.1174)
[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.
DECISION
RULING
The Data Protection Authority decides on the data protection complaint of Peter A*** (complainant), represented by the association B***, S***platz *4, **** Vienna, ZVR: *3*1*8*44, dated August 9, 2022 against N*** Publishing & Media, Inc. (respondent), represented by C*** Rechtsanwälte GmbH, due to A) the right to erasure and the obligation to notify in connection with the erasure, B) the application for an order against the respondent to stop the unlawful processing and C) the application dated December 30, 2022 to establish an alleged violation of the right to confidentiality, as follows:
1) The complaint is partially upheld with regard to point A) and the respondent is ordered to inform the recipients who have received the information under finding of facts C.4 within a period of four weeks. (these are at least unique user identification numbers) when the complaining party visited the website https://www.runningsport***.com/ on September 24, 2021, about the deletion of the data transmitted to them. The information must be sent in particular to the following recipients: J***Data, The***infoExchange.
2) The complaint is otherwise rejected with regard to points A) and B).
3) The complaint is rejected with regard to point C).
4) The respondent is officially ordered to, within a period of 8 weeks
a. modify the cookie banner (the request for consent) of the website https://www.runningsport***.com/ (see finding of facts C.6.) in such a way that valid consent is obtained when visiting the website. To this end, the respondent must at least modify the cookie banner in such a way that, in addition to the "Accept" option, there is a visually equivalent option on the first level of the cookie banner to close the cookie banner without giving consent (e.g. "Reject" or "Close the cookie banner without consent");
b. adapt its website https://www.runningsport***.com/ in such a way that the revocation of consent for the cookies used (see factual findings C.6.) and the associated processing of personal data is easy. To this end, the respondent must at least expressly include a reference to where the right of revocation can be exercised in the information in the cookie banner (see factual findings C.6.).
c. to modify its website https://www.runningsport***.com/ (see statement of facts C.6.) in such a way that valid consent is obtained for the processing of personal data in connection with analytical cookies (in particular J***Data Analytics).
Legal basis: Art. 3, Art. 4 Z 11, Art. 7, Art. 51 Para. 1, Art. 12 Para. 3, Art. 17, Art. 19, Art. 57 Para. 1 lit. d and lit. f, Art. 58 Para. 2 and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119 of 4 May 2016, p. 1; Sections 18 (1) and 24 (1), (2) item 5, (4) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 165 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended: Article 3,, Article 4, number 11,, Article 7,, Article 51, paragraph one,, Article 12, paragraph 3,, Article 17,, Article 19,, Article 57, paragraph one, letters d and f,, Article 58, paragraph 2, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1; Paragraphs 18, paragraph one, and 24 paragraph one, paragraph 2, number 5, paragraph 4, and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended; Paragraph 165 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette Part One, No. 190 of 2021, as amended.
REASONING
A. Arguments of the parties and course of proceedings
A.1. In a submission dated August 9, 2022, the complaining party (hereinafter: bP) submitted the following in summary:
The bP visited the website of the respondent (hereinafter: BG) at https://www.runningsport***.com/ on September 24, 2021. The website displayed a cookie banner. Cookies were set, some with a unique user identification number ("unique ID"). A summary of all HTTP requests and responses is attached as an appendix. The term "relevant processing activities" is used for all processing activities for which the BG wants to establish a legal basis within the framework of the cookie banner. Due to the design of the cookie banner mentioned, several violations occurred. It can be assumed that there was no valid consent. It is requested that the BG be instructed to cease all relevant processing activities and to delete all relevant personal data. The GDPR allows the responsible supervisory authority to make an order that goes beyond the personal data of the bP. Several attachments were attached to the submission.
A.2. In a letter dated December 30, 2022, the bP made the following additional statements:
The bP requests that it be determined in accordance with Section 24, Paragraph 2, Item 5, DSG in conjunction with Section 1, DSG that the BG has violated the standards listed in exhaustive numbers for each type of violation. In the case of unlawful data processing that is no longer ongoing and contrary to Section 1 DSG in conjunction with Art. 5 GDPR, these are completed matters that lie in the past. The violation of law has been successful and the personal data of those affected has been forwarded to countless third parties. The violations of law in question are therefore not amenable to removal within the meaning of Section 24, Paragraph 6, DSG.The bP requests that it be determined in accordance with Paragraph 24, Paragraph 2, Item 5, DSG in conjunction with Paragraph 1, DSG that the BG has violated the standards listed in exhaustive numbers for each type of violation. In the case of unlawful data processing that is no longer ongoing and contrary to paragraph 1 of the DSG in conjunction with Article 5 of the GDPR, these are completed matters that lie in the past. The violation of law has been successful and the personal data of those affected has been forwarded to countless third parties. The violations of law in question are therefore not amenable to removal within the meaning of paragraph 24, paragraph 6 of the DSG.
A.3. In its statement of May 15, 2023, the BG summarized the following:
The bP's complaint is very general and in many areas there are no specific references to specific legal bases and case law on the alleged misconduct. The territorial scope of application is not even open. There is no conscious and intentional offering of goods and services in the EU within the meaning of Art. 3, paragraph 2, letter a of the GDPR. The market in question is undoubtedly exclusively the US market. The bP's complaint is very general and in many areas there are no specific references to specific legal bases and case law on the alleged misconduct. The geographical scope of application is not even open. There is no conscious and intentional offering of goods and services in the EU within the meaning of Article 3, Paragraph 2, Letter a, GDPR. The market addressed is undoubtedly exclusively the US market.
The website offers news, features, reviews and interviews that mainly relate to fitness and sport, especially running. The website also refers to other companies' online shops where customers can buy the products presented.
Due to the inapplicability of the GDPR, there is currently no reason to make comprehensive changes to the design of the cookie banner. Rather, it corresponds to both the market standard and the relevant guidelines of European data protection authorities. Contrary to the general statements of the complainant, neither the GDPR, the DSG or TKG nor other applicable legal bases currently provide more precise specifications for the design of declarations of consent via cookie banners. The parameters relating to transparency and information content that can be derived from Articles 5 and 7 of the GDPR are fully met. Due to the inapplicability of the GDPR, there is currently no reason to make comprehensive changes to the design of the cookie banner. Rather, it corresponds to both the market standard and the relevant guidelines of European data protection authorities. Contrary to the general statements made by the complainant, neither the GDPR, the DSG or TKG nor any other applicable legal bases currently provide more precise specifications for the design of declarations of consent via cookie banners. The parameters relating to transparency and information content that can be derived from Articles 5 and 7 of the GDPR are fully met.
The BG is currently checking its systems for the online identifiers mentioned in the complaint and will take appropriate steps to delete this data if the client is responsible for it. Several attachments were attached to the statement.
A.4. In its statement of June 15, 2023, the bP summarized the following:
The BG's statement that the website is not aimed at an EU audience is incorrect. The BG is also aimed at European users. Consequently, the territorial scope of application of Article 3(2)(a) GDPR applies.The BG's statement that the website is not aimed at an EU audience is incorrect. The BG is also aimed at European users. Consequently, the territorial scope of application of Article 3(, 2,)(a) GDPR applies.
The BG continues to process personal data that is the subject of the complaint. Apparently no deletion has taken place yet. Even if partner companies are independent controllers, the BG must inform all recipients of the deletion within the meaning of Art. 19 GDPR. The violations complained about still exist. The BG continues to process the personal data that is the subject of the complaint. Apparently no deletion has taken place yet. Even if partner companies are independent controllers, the BG must inform all recipients of the deletion within the meaning of Article 19, GDPR. The violations complained about still exist.
A.5. In its statement dated August 21, 2023, the BG summarized the following:
The BG checked the systems it controlled according to the data listed in the complaint (name and cookie values). The BG deleted all cookie values on May 11, 2023. She can therefore confirm that all personal data for which she was responsible have been permanently deleted.
A.6. In a statement dated August 31, 2023, the bP summarized the following:
The bP maintains its requests in the complaint filed on August 9, 2022 with regard to the violations described and also refers to the application for a declaratory judgment dated December 30, 2022.
B. Subject of the complaint
B.1. Art. 58 GDPR does not contain an express legal basis for an independent determination of the possible illegality of a processing operation relevant to data protection law (cf. Administrative Court of September 1, 2022, Ra 2022/04/0066). As a result, the mere discovery of a violation of a right protected by data protection law in accordance with (Art. 58 Para. 6 GDPR in conjunction with) Section 24 Para. 2 Z 5 in conjunction with Section 1 DSG constitutes a B.1. Article 58, GDPR does not contain an express legal basis for an independent determination of the possible illegality of a processing operation relevant to data protection law (see VwGH of September 1, 2022, Ra 2022/04/0066). Accordingly, the mere determination of a violation of a right protected by data protection law in accordance with (Article 58, paragraph 6, GDPR in conjunction with paragraph 24, paragraph 2, number 5, in conjunction with paragraph one, DSG) requires an application from the data subject.
For the subject of the complaint in this case, these statements mean the following:
B.2. With its submission dated August 9, 2022, the bP did not submit an application within the meaning of Section 24 Para. 2 Z 5 DSG. In the following further statements there was initially no reference to Section 24 Para. 2 Z 5 DSG - or in general about the DSG – recognizable. B.2. With its submission dated August 9, 2022, the bP did not submit an application within the meaning of paragraph 24, paragraph 2, number 5, DSG. In the following further statements there was initially no reference to paragraph 24, paragraph 2, number 5, DSG or in general about the DSG – recognizable.
It was only with the submission of December 30, 2022 that the bP submitted the additional application to establish that the BG, in accordance with Section 24 Para. 2 Z 5 DSG in conjunction with Section 1 DSG, violated the norms listed for each “violation type” - which ultimately refers to one Violation of the right to secrecy - has violated. Accordingly, the determination of a legal violation that occurred in the past must be discussed. It was only with the submission of December 30, 2022 that the bP submitted the additional application to establish that the BG in accordance with paragraph 24, paragraph 2, number 5, DSG in conjunction with paragraph one, DSG violated the norms listed in a final numbered manner for each “violation type”. - which ultimately amounts to a violation of the right to secrecy. Accordingly, the determination of a legal violation that occurred in the past must be discussed.
In this context, however, it must be checked in advance whether the application submitted has not already been precluded as of December 30, 2022.
B.3. The subject of the complaint is also bP's request to order the BG to A) delete bP's personal data and communicate the deletion to the recipients and B) stop the "relevant processing activities".
By “relevant processing activities”, the bP refers to all those processing activities for which the BG wanted to establish a legal basis as part of the use of its cookie banner on September 24, 2021.
B.4. In the present case, it must be checked in advance whether the territorial scope of application of the GDPR has been opened and whether the data protection authority is therefore fundamentally responsible for dealing with the complaint.
C. Findings of Fact
C.1. Cookies can be used to collect information that was generated by a website and stored via an Internet user's browser. It is a small file or text information (usually smaller than one Kbyte) that is placed by a website via an Internet user's browser on the hard drive of their computer or mobile device.
A cookie allows the website to “remember” the user’s actions or preferences. Most web browsers support cookies, but users can set their browsers to refuse cookies. You can also delete the cookies at any time.
Websites use cookies to identify users, remember their customers' preferences, and allow users to complete tasks without having to re-enter information when they move to another page or revisit the site later.
Cookies can also be used to collect information based on online behavior for targeted advertising and marketing. For example, companies use software to track user behavior and create personal profiles that allow them to show users advertising tailored to their previous searches.
Assessment of evidence C.1.: The statements on how cookies work come from the Opinion of the Advocate General in case C-673/17 Rz 36 ff mwN. Since this is a case-independent and general technical description of the possible functions of cookies, these statements had to be included at the factual level - and not in the legal assessment.
C.2. The BG is the operator of the website https://www.runningsport***.com/. It decides under what conditions which cookies are set or read when the website mentioned is accessed.
The website provides news, features, reviews and interviews related to fitness and sports, particularly running. The website also refers to other companies' webshops where customers can buy the products presented. After pressing the “Shop” button you will be taken to the British website https://www.n***publishing.co.uk/***runningsports-magazine-subscription-website?utm_source=***runningsports.com&utm_medium= referral&utm_campaign=us-websites redirected. Here, website visitors have the opportunity to order a print edition of the articles available online to Austria.
The website also contains product links to web shops such as Amazon as well as advertising. The links and advertising are as follows (formatting not reproduced 1:1):
[Editor's note: The screenshot from the respondent's website reproduced here as a facsimile (graphic file) cannot be pseudonymized with reasonable effort and has therefore been removed.]
The website is not available in German.
Assessment of evidence C.2.: The findings made are based on the BG's statement of May 15, 2023 and an official search by the data protection authority on the website https://www.runningsport***.com/, last accessed on September 18, 2023 .
C.3. The bP visited the website https://www.runningsport***.com/ at least on September 24, 2021.
The cookie banner was specifically designed as follows on September 24, 2021 (formatting not reproduced 1:1):
[Editor's note: The screenshot from the respondent's website reproduced here as a facsimile (graphical file) cannot be pseudonymized with reasonable effort and has therefore been removed. It is reproduced approximately as text content below. Square brackets correspond to buttons, underlined characters correspond to links.]
“runningsport.***.com
N*** and third parties use cookies and similar technologies (“Cookies”) on this site. Some cookies are necessary to make this site and our content available to you. Other Cookies analyze and measure audience and traffic. Cookies are also used by us and third parties such as advertisers, ad-tech providers and others (“Vendors”) to develop and serve ads more relevant to your interests based on your consent or our legitimate interests. For a list of Vendors that can set Cookies on your device an browser when you interact with this site and the purposes for which Cookies are set by Vendors and us, click Learn More below. From time to time we may add or remove vendors and/or cookies. You can adjust your preferences including your right to object where legitimate interest is used, or withdraw your consent to certain Cookies at any time. We process personal data obtained through the use of Cookies (such as cookie identifier and/or IP address) for he purposes described in the Privacy Notice published on the site. To consent to the use of Cookies and proceed to the site, click Accept below. […]“N*** and third parties use cookies and similar technologies (“Cookies”) on this site. Some cookies are necessary to make this site and our content available to you. Other Cookies analyze and measure audience and traffic. Cookies are also used by us and third parties such as advertisers, ad-tech providers and others (“Vendors”) to develop and serve ads more relevant to your interests based on your consent or our legitimate interests. For a list of Vendors that can set Cookies on your device an browser when you interact with this site and the purposes for which Cookies are set by Vendors and us, click Learn More below. From time to time we may add or remove vendors and/or cookies. You can adjust your preferences including your right to object where legitimate interest is used, or withdraw your consent to certain Cookies at any time. We process personal data obtained through the use of Cookies (such as cookie identifier and/or IP address) for he purposes described in the Privacy Notice published on the site. To consent to the use of Cookies and proceed to the site, click Accept below. […]”
[Learn more] [Accept]
Assessment of evidence C.3.: The findings made are based on the bP’s submission of August 9, 2022 and are undisputed. The screenshot is based on the attachments “banner.png” and “page.html” provided by bP.
C.4. As a result of visiting the website https://www.runningsport***.com/, the following cookies, among others, were set and read on bP's end device on September 24, 2021, which contained a unique, randomly generated value (random number):
domain
Surname
Value
Explanation
.**serv.com
*XCID
*8a6d*5***84f-
84ea4fa3d43a
The ***infoExchange ID (*XCID) is used to recognize web browser profiles over time across different websites. The service is offered by The ***infoExchange Inc.
.ad*learn.org
J*ED
*iWz***V*i_*b4E**8*9i*
The “J*ED” cookie is used to display J***Data advertisements on non-J***Data websites.
.**more.org
pl*v
*O*pZ**rT9*A
This cookie does not store any direct personal information, but is based on the unique identification of the browser and internet device.
The content of the attached attachment “cookies.json” (JSON file) is used as the basis for the findings of fact.
Assessment of evidence C.4.: The findings made are based on the submission of the bP dated August 9, 2022 and the attachment “cookies.json” submitted with it. A JSON file is an archive format for HTTP transactions. The JSON file was checked by the data protection authority. The bP's submission is consistent with the archive data contained therein. The submitted JSON file (or its content) is known to the parties.
In addition, the findings made are based on an official search of the website https://www.***info-it.com/cookies/ (for the cookie “pl*v”), https://policies.j*** data.com/ /cookies?hl=de#*** -cookies (for the cookie “J*ED”), https://www.the***infoexchange.com/us/privacy (for the cookie “* XCID”), each queried on September 18, 2023.
C.5. The BG is currently not storing any cookie values that were set and read in the bP's end device as a result of the visit to https://www.runningsport***.com/ on September 24, 2021. In addition, the BG does not currently store the IP address of the bP's end device, which was stored in its log files - at least for a short time - as a result of the same visit.
The BG did not inform the recipients of the data transfer (specifically the providers of the services that it has implemented on its website) about the deletion of the data under factual finding C.4. informed about the data listed.
Assessment of evidence C.5.: The findings made are based on the BG's statement of August 21, 2023. Following an express request from the data protection authority, the BG stated that it had carried out a search of the systems it controls. The search is based on the online identifiers listed in the complaint (including the IP address and name). There is no evidence to cast doubt on the BG's arguments. The bP also no longer disputed the BG's allegations in this regard. The factual findings are also supported by the fact that it is fundamentally inherent in cookies that they are automatically deleted after a certain period of time. There are also no investigation results that would justify a contrary finding.
On the other hand, the BG has not sufficiently proven that the recipients of the data transfer were informed about the deletion, although this is undoubtedly the subject of the complaint and the BG was also sent the first submission from the bP in which the recipients were requested to be informed. In fact, the BG has recently done nothing to inform recipients about the deletion. As can be seen from the legal assessment, the BG - according to the case law of the ECJ - bears the burden of proof in this regard within the framework of accountability under data protection law and - despite sufficient opportunity - no evidence was presented.
C.6. The BG has changed its cookie banner on the website https://www.runningsport***.com/. The BG's cookie banner is currently designed as follows (formatting not reproduced 1:1):
[Editor's note: The screenshot from the respondent's website reproduced here as a facsimile (graphical file) cannot be pseudonymized with reasonable effort and has therefore been removed. It is reproduced approximately as text content below. Square brackets correspond to buttons, underlined characters correspond to links.]
“runningsport.***.com
N*** and third parties use cookies and similar technologies (“Cookies”) on this site. Some cookies are necessary to make this site and our content available to you. Other Cookies analyze and measure audience and traffic. Cookies are also used by us and third parties such as advertisers, ad-tech providers and others (“Vendors”) to develop and serve ads more relevant to your interests based on your consent or our legitimate interests. For a list of Vendors that can set Cookies on your device an browser when you interact with this site and the purposes for which Cookies are set by Vendors and us, click Learn More below. From time to time we may add or remove vendors and/or cookies. You can adjust your preferences including your right to object where legitimate interest is used, or withdraw your consent to certain Cookies at any time. We process personal data obtained through the use of cookies (such as cookie identifier and/or IP address) for he purposes described in the N*** and third parties use cookies and similar technologies (“Cookies”) on this site. Some cookies are necessary to make this site and our content available to you. Other Cookies analyze and measure audience and traffic. Cookies are also used by us and third parties such as advertisers, ad-tech providers and others (“Vendors”) to develop and serve ads more relevant to your interests based on your consent or our legitimate interests. For a list of Vendors that can set Cookies on your device an browser when you interact with this site and the purposes for which Cookies are set by Vendors and us, click Learn More below. From time to time we may add or remove vendors and/or cookies. You can adjust your preferences including your right to object where legitimate interest is used, or withdraw your consent to certain Cookies at any time. We process personal data obtained through the use of Cookies (such as cookie identifier and/or IP address) for he purposes described in the Privacy Notice published on the site. To consent to the use of Cookies and proceed to the site, click Accept below. […]”
[Learn more] [Accept]
If you select the “LEARN MORE” option, the following button appears (formatting not reproduced 1:1):
[Editor's note: The screenshot from the respondent's website reproduced here as a facsimile (graphical file) cannot be pseudonymized with reasonable effort and has therefore been removed. It is reproduced approximately as text content below. Square brackets correspond to buttons, underlined characters correspond to links.]
“***trust
Cookies Choices
Cookies and similar technologies (“Cookies”) are needed for the proper functioning of this site and to give you the optimal experience of our Services. Cookies are also used to develop and serve ads, content or features that are more relevant to your interests. Please review the information below.
We share information with third parties such as advertisers, ad-tech providers and others ("Vendors") on the basis of consent and/or legitimate interest. You may exercise your right to consent or object to a legitimate interest for the purposes described below. Some of the Vendors have adopted the IAB Europe GDPR Transparency & Consent Framework (“IAB Framework”), which requires participants to adhere to the requirements and standards developed by IAB Europe. From time to time we may add or remove vendors and/or cookies. Consent Framework (“IAB Framework”), which requires participants to adhere to the requirements and standards developed by IAB Europe. From time to time we may add or remove vendors and/or cookies.
You can decline most Cookies by clicking on the Decline button below. To decline certain analytics cookies, you will have to use the links provided in the Strietly Necessary & Analytics Cookies tab. We are allowed to use certain cookies regardless of your choices, and we will use cookies to maintain your opt-out preferences. Note, if you do not consent to cookies, some features of the site may not function correctly. You will still see ads on the site, but they will not be based on your interests.
We have described the categories of Cookies and Vendors used on this site in the tabs below. To adjust your preferences, please use the toggles. Cookie-level opt-outs are browser and device-specific.
[Decline] [Confirm my choices]”
“***trust
level optouts are browser and device-specific.
[Accept]
Manage consent preferences
— Strictly Necessary & Analytics Cookies Fired Automatically
Strictly necessary cookies are necessary for the website to function and cannot generally be switched off in our systems without negatively affecting page functionality. They are usually only set in response to actions made by you which amount to a request for Services, such as setting your privacy preferences, logging in or filling in forms.
In addition, we use certain analytics cookies to analyze and measure our audience, traffic, and engagement with the site. Those listed below are automatically enabled on our site and you can opt out at any time by following the instructions below.
To opt out of J***Data Analytics: Click here to opt out of J***Data Analytics
(Cookies details (Non-IAB Vendors)]
+ Marketing & Targeting Cookies [yes/no]
+ Functional Cookies [yes/no]
[Decline] [Confirm my choices]”
At the bottom left of the website there is the “Cookie Choices” option. This looks like this (formatting not adopted 1:1):
[Editor's note: The screenshot from the respondent's website reproduced here as a facsimile (graphical file) cannot be pseudonymized with reasonable effort and has therefore been removed. It is reproduced approximately as text content below. Square brackets correspond to buttons, underlined characters correspond to links.]
“A Part of N*** Digital Media
We may earn commission from links on this page, but we only recommend products we back.
®2023 N*** Publishing & Media, Inc. All Rights Reserved.
Privacy Notice CA Notice at Collection Your CA Privacy Rights/Shine the Light
DAA Industry Opt Out Terms of Use Site Map
[COOKIES CHOICES]”
Assessment of evidence C.6.: The findings regarding the cookie banner are based on an official search by the data protection authority on the website https://www.runningsport***.com/, last accessed on September 18, 2023. The finding that the BG has adapted the cookie banner, also results from the act and is undisputed.
D. In legal terms it follows:
On the scope of application of the GDPR
D.1. On the scope of application of the GDPR
First of all, it is important to check whether the geographical scope of the GDPR is open:
Although the GDPR is primarily linked to the use of data within the framework of an establishment of a controller or a processor within the Union territory, Article 3 GDPR expands the territorial scope of application of European data protection law. Accordingly, the lack of an establishment in the Union does not necessarily mean that the processing activities of a controller established in a third country are excluded from the scope of application of the GDPR. The GDPR is primarily linked to the use of data within the framework of an establishment of a controller or a processor within the Union territory , but Article 3 GDPR expands the territorial scope of European data protection law. Accordingly, the lack of an establishment in the Union does not necessarily mean that the processing activities of a controller established in a third country are excluded from the scope of the GDPR.
Article 3 Paragraph 2 GDPR reads as follows: Article 3 Paragraph 2 GDPR reads as follows:
"This Regulation applies to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union, where the data processing is related to: (a) goods or services to data subjects in the Union whether or not payment is to be made by those data subjects, or (b) to monitor their behavior to the extent that that behavior takes place in the Union."
In the present case, Article 3, Paragraph 2, Letter a, (“Offering goods or services”) and Article 3, Paragraph 2, Letter b of the GDPR ( "") and Article 3, paragraph 2, letter b, GDPR ("behavioral observation") into consideration.
D.1.1. Regarding Art. 3 Paragraph 2 Letter a GDPR D.1.1. Regarding Article 3, Paragraph 2, Letter a, GDPR (“Offering goods or services”)
Although the concept of "directing an activity" differs from "offering goods or services", the EDPB upholds this case law in Pammer vReederei Karl Schlüter GmbH & Co and Hotel Alpenhof vHeller (joined cases C-585/08 and C-144/09) for being helpful in examining whether goods or services are offered to a data subject in the Union. Therefore, taking into account the particular circumstances of the case, the following factors, among others, could be taken into account, possibly in conjunction with each other:
a) The EU or at least one Member State is identified by reference to the product or service offered;
b) the controller or processor pays a search engine operator for an internet referencing service to facilitate access to its website by consumers in the Union, or the controller or processor has launched a marketing and advertising campaign aimed at audiences in an EU -Country turns;
c) the international nature of the activity in question, such as certain tourist activities;
d) the provision of specific addresses or telephone numbers that can be reached from an EU country;
e) the use of a top-level domain name other than that of the third country in which the controller or processor is established, e.g. B. “de”, or the use of neutral top-level domain names such as “.eu”;
f) the description of travel instructions from one or more other EU Member States to the place where the service is provided;
g) the indication of an international customer base consisting of customers based in different EU Member States, in particular through the invoicing by these customers;
h) the use of a language or currency other than that customary in the trader's country, in particular a language or currency of one or more EU Member States;
i) the controller offers the delivery of goods to EU member states (cf. Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 20).the controller offers the delivery of goods in EU Member States see Guidelines 3/2018 on the territorial scope of application of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 20).
As can be seen from the findings of fact (see C.2.), the website provides news, features, reviews and interviews relating to fitness and sport, particularly running. The website also refers to other companies' webshops where customers can buy the products presented and it is only possible to order a print subscription to Austria on the British website.
Accordingly, the website is only “accessible” to visitors from the EU.
As recital 23 third sentence of the GDPR already states, the mere accessibility of the controller's website, an email address or other contact details or the use of a language that is generally used in the third country in which the controller is established is not sufficient indication of the spatial area of application.
Rather, other factors such as the use of a language or currency common in one or more Member States, combined with the possibility of ordering goods and services in that other language, or the mention of customers or users located in the Union indicate that the controller intends to offer goods or services to persons in the Union (see again recital 23 of the GDPR). Rather, other factors such as the use of a language or currency common in one or more Member States, combined with the possibility of ordering goods and services in that other language, or the mention of customers or users located in the Union indicate that the controller intends to offer goods or services to persons in the Union (see again recital 23 of the GDPR).
In principle, the bP agrees that a print subscription can be ordered via a link on the website, but this assumption is not covered by the understanding of the territorial scope of application of the GDPR in the sense of the above-mentioned case law, as the only option is to access a British one Left. An orientation of the website in question towards a European audience cannot be derived from this, but rather a European orientation of the British website can be inferred from this.
The EDPB also takes the view that when it comes to processing activities in connection with the provision of services, the provision applies to activities that intentionally, rather than unintentionally or accidentally, target individuals in the EU. If the processing relates to a service that is only offered to persons outside the EU, but the service is not withdrawn when those persons enter the EU, the relevant processing is not subject to the GDPR. In this case, the processing is not related to the intentional targeting of individuals in the EU, but rather to the targeting of individuals outside the EU, which continues regardless of whether they remain outside the EU or whether they visit the Union (see Guidelines 3/2018 on the territorial scope of application of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 17). If the processing relates to a service that is only offered to persons outside the EU, but the service is not withdrawn when those persons enter the EU, the relevant processing is not subject to the GDPR. In this case, the processing is not related to the intentional targeting of individuals in the EU, but rather to the targeting of individuals outside the EU, which continues regardless of whether they remain outside the EU or whether they visit the Union see Guidelines 3/ 2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 17).
The EDPB also emphasizes that the processing of personal data of a natural person in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller not established in the Union (see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3 ) of the EDPB of November 12, 2019, p. 18). to trigger the application of the GDPR to processing activities of a controller not established in the Union see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 18).
D.1.2. On Art. 3 Paragraph 2 Letter b GDPR (“D.1.2. On Article 3 Paragraph 2, Letter b, GDPR (“Behaviour Observation”)
Regardless of this, Article 3 Paragraph 2 Letter b of the GDPR triggers the application of the GDPR to the extent that it is used to monitor the behavior of those affected persons, provided their conduct takes place within the Union (see also recital 24). the behavior of data subjects, provided that their behavior takes place in the Union (see also recital 24).
Unlike the provision of Art. 3 Para. 2 lit. a GDPR, neither Art. 3 Para. 2 lit. 24 expressly contains a necessary level of “Unlike the provision of Article 3, Paragraph 2, Letter a, GDPR, neither Article 3, Paragraph 2, Letter b, GDPR nor recital. 24 expressly requires a necessary level of “targeting” on the part of the controller or processor to determine whether the observation activity would trigger the application of the GDPR to the processing activity (see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 23)." by the controller or processor to determine whether the observation activity would trigger the application of the GDPR to the processing activity see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of EDPB dated November 12, 2019, p. 23).
The EDPB does not consider that “every” online collection or analysis of personal data from individuals in the EU should automatically be considered “observation”. However, the use of the word "observation" implies that the controller has a specific purpose in collecting and subsequently re-using the relevant data on the behavior of an individual in the EU (see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 23).", however, implies that the controller pursues a specific purpose when collecting and subsequently reusing the relevant data on the behavior of a person in the EU see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 23).
Since it depends on suitability, the motivation of the person responsible is irrelevant. Observation therefore also occurs if the person responsible is primarily interested in understanding the technical processes on his website, but in doing so processes personal data in a way that makes the Internet activities of a data subject traceable (cf. Since it is on the suitability is important, the motivation of the person responsible is irrelevant. Observation therefore also occurs if the person responsible is primarily concerned with understanding the technical processes on his website, but in doing so processes personal data in a way that allows the Internet activities of a person to be monitored must be made comprehensible to the person concerned (see Ernst in Kühling/Buchner, General Data Protection Regulation Commentary, on Art. 3, Rz. 97). , General Data Protection Regulation Commentary on Article 3, paragraph 97).
The application of Article 3 Paragraph 2 Letter b of the GDPR can therefore cover a wide range of observation activities; the EDPB focuses in particular on the following elements include, the EDPB focuses in particular on the following elements (see Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of the EDPB of November 12, 2019, p. 23): compare Guidelines 3/2018 on the territorial scope of the GDPR ( Article 3) of the EDPB of November 12, 2019, p. 23):
- Behavioral advertising
- Geolocation activities, particularly for marketing purposes
- Online tracking through the use of cookies or other tracking techniques such as fingerprinting
- Personalized nutrition and health analysis services online
- CCTV
- Market studies and other behavioral studies based on individual profiles
- Monitoring or regular reporting of an individual's health status
Obviously, this is intended to bring technologies used on the Internet that collect users' Internet activity data (e.g. through appropriate cookies or other user identifiers) into the territorial scope of the regulation, provided that the data collected results in a decision regarding the data subject or the data is used for Personalization of functionalities or content (e.g. personalized advertising, personalized suggestion functions or personalized search results) can be used based on a profile of the person (see. Obviously, this is intended to bring technologies used on the Internet that collect users' Internet activity data (e.g. through appropriate cookies or other user identifiers), provided that the data collected results in a decision regarding the data subject or the data is used to personalize functionalities or content (e.g. personalized advertising, personalized suggestion functions or personalized search results) based on a profile of the person Meyerdierks in Moos/Schefzig/Arning, practical manual GDPR including BDSG and specific use cases Chap. 3, paragraph 67).
In particular, all forms of tracking and profiling on the Internet through analysis tools fall under the regulation, such as cookies that enable the individual traceability of users or pursue the purposes of individual advertising (targeted advertising) (see. In particular, all forms are covered tracking and profiling on the Internet using analysis tools under the regulation, such as cookies that enable the individual traceability of users, or the purposes of individual advertising (targeted advertising), see Ernst in Kühling/Buchner, General Data Protection Regulation Commentary, on Art. 3, Rz 98), General Data Protection Regulation Commentary on Article 3, Rz 98).
Even a first-time tracking process that may not be repeated for the data subject can lead to the application of paragraph 2 lit. b GDPR (cf. A first-time tracking process that may not be repeated for the data subject can also lead to the application of paragraph 2, Litera b, GDPR, compare Ernst in Kühling/Buchner, General Data Protection Regulation Commentary, on Art. 3, Rz 96)., General Data Protection Regulation Commentary, on Article 3, Rz 96).
This leads to the result that companies that do not have an establishment in the EU and direct their internet service exclusively to people outside the EU and also operate it on servers outside the EU can still fall within the territorial scope of the regulation if users from the EU access this service and the service offers personalization functions based on behavioral profiles (cf. also the decision of June 2, 2022, GZ: D130.651, 2022-0.088.237; cf. This leads to the result that companies that do not have a branch in the EU and direct their internet service exclusively to persons outside the EU and also operate it on servers outside the EU may still fall within the territorial scope of the Regulation if users from the EU access that service and the service has personalization features based on behavioral profiles also compare the decision of June 2, 2022, GZ: D130.651, 2022-0.088.237; compare Meyerdierks in Moos/Schefzig/Arning, practical manual GDPR including BDSG and specific use cases chap. 3, paragraph 71).
As can be seen from the findings, cookies with unique, randomly generated values were set and read on bP's end device as a result of visiting the website. The considerations outlined above can therefore also be applied to the present case.
In conclusion, it should be noted that the territorial scope of application of the GDPR is open - also in view of the purpose of the regulation, which is in particular to offer data subjects the greatest possible protection for their data.
D.2. On the responsibility of the data protection authority
Processing operations of a fact can comply with the provisions of Directive 2002/58/EC as amended. (e-Data Protection Directive) or the TKG 2021, as well as the GDPR. While the setting or reading of cookies is to be assessed according to the provisions of Article 5 Paragraph 3 of the e-Data Protection Directive, the processing operations of a matter can fall under the provisions of Directive 2002/58/EC as amended. (e-Data Protection Directive) or the TKG 2021, as well as the GDPR. While the setting or reading of cookies is to be assessed in accordance with the provisions of Article 5, Paragraph 3 of the e-Data Protection Directive, the subsequent data processing falls within the scope of the GDPR (see EDPB Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and mobility-related applications version 2.0 Rz 15 and Rz 53). Data processing within the scope of application of the GDPR see EDPB Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and mobility-related applications version 2.0 Rz 15 and Rz 53).
This also corresponds to the legal opinion of the ECJ in the Fashion ID case. This also assumed that as a result of the implementation of a social plugin on a website (this falls within the scope of the e-Data Protection Directive), the transfer of the website visitor's data to Facebook Ireland Limited and the subsequent data processing fall within the scope of the ( then) Directive 95/46 GDPR falls (cf. the judgment of the ECJ of July 29, 2019, C-40/17 Rz 26 and in particular Rz 85). Data processing falls within the scope of application of the (then) Directive 95/46 GDPR, see the judgment of the ECJ of July 29, 2019, C-40/17 Rz 26 and in particular Rz 85).
The data protection authority is therefore responsible for the complaint in question, since data transfer (at least IP addresses and cookie values) took place as a result of the setting or reading of cookies (see fact finding C.4) and the application of the GDPR is not excluded.
D.3. Processing of personal data
In the J***Data Analytics case, the data protection authority has already stated – in line with the case law of the European Data Protection Supervisor (EDPS) – that cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualising and separating people meet the definition of Art. 4(1) GDPR. In particular, it can never be ruled out that the cookie values and the IP address of a person’s end device at some point in the processing chain meet the definition of Article 4, point one, GDPR. In particular, it can never be ruled out that the cookie values and the IP address of a person’s end device at some point in the processing chain are combined with additional information, e.g. when the data subject registers on a website using their email address or real name (cf. the decision of April 22, 2022, GZ: 2022-0.298.191, available on the website www.dsb.gv.at; this legal opinion is confirmed, among others, by the decision of the BVwG of May 12, 2023, GZ: W245 2252208-1; on the personal reference of “J***Data Analytics Cookies” see also the decision of the EDPS against the European Parliament of January 5, 2022, GZ: 2020-1013, p. 13). combined, e.g. if the data subject registers on a website with their email address or real name, see the decision of April 22, 2022, GZ: 2022-0.298.191, available on the website www.dsb.gv.at; this legal opinion is confirmed, among others, by the decision of the BVwG of May 12, 2023, GZ: W245 2252208-1; on the personal reference of "J***Data Analytics Cookies" see also the decision of the EDSB against the European Parliament of January 5, 2022, GZ: 2020-1013, p. 13).
These considerations can be applied to the present case, since as a result of visiting the website https://www.runningsport***.com/ on September 24, 2021, cookies with unique, randomly generated values were set and read in the bP's end device (see factual findings C.4). Subsequently, the cookie values and IP address of the bP's end device were transmitted, for example, to the servers of the respective providers, e.g. J***Data (cookie: J*ED) or The***infoExchange (cookie: "*XCID").
The material scope of application of the GDPR is therefore also fulfilled.
On point 1
D.4. On the obligation to notify in accordance with Art. 19 GDPR (point A of complaint)D.4. On the obligation to notify pursuant to Article 19, GDPR (complaint point A)
As stated, BG is the operator of the website in question and decides which cookies are placed on its website (and, associated with this, which data processing is carried out; see factual findings C.2.).
It follows that BG is to be qualified as the data protection controller pursuant to Art. 4, No. 7, GDPR for the data processing in question, as it decides on the purposes and means of data processing. pursuant to Article 4, No. 7, GDPR for the data processing in question, as it decides on the purposes and means of data processing.
According to Art. 19 GDPR, the controller must notify all recipients to whom personal data has been disclosed of any erasure pursuant to Art. 17, Paragraph 1 GDPR, unless doing so should prove impossible or involve disproportionate expenditure.
As can be seen from the findings, the BG deleted the bP’s data but did not inform the recipients of the deletion (see findings of fact C.5.). It must therefore be examined whether the deletion was preceded by an obligation to delete – which would trigger the obligation to notify pursuant to Art. 19 GDPR:As can be seen from the findings, the BG deleted the bP’s data but did not inform the recipients of the deletion (see findings of fact C.5.). It must therefore be checked whether the deletion that took place was preceded by an obligation to delete, which would trigger the notification obligation under Article 19 of the GDPR:
The controller must delete the data in accordance with Article 17, paragraph 1, GDPR if one of the reasons stated in Article 17, paragraph 1, letters a to f of the GDPR applies and there are no exceptions under Article 17, paragraph 3 of the GDPR.The controller must delete the data in accordance with Article 17, paragraph 1, letters a to f of the GDPR applies and there are no exceptions under Article 17, paragraph 3 of the GDPR.
In this context, the bP complains - in essence - of an obligation to delete due to unlawful data processing (Article 17, paragraph 1, letter d of the GDPR). Data processing (Article 17, paragraph 1, letter d of the GDPR).
As already explained in more detail above, the data protection authority is in any case responsible for checking those processing operations that take place after cookies have been set or read in accordance with Article 5(3) of the ePrivacy Directive (“subsequent data processing”).As already explained in more detail above, the data protection authority is in any case responsible for checking those processing operations that take place after cookies have been set or read in accordance with Article 5(3) of the ePrivacy Directive (“subsequent data processing”).
The first step, however, is to check whether valid consent has been obtained for cookies to be set or read. According to the case law of the ECJ, in the interaction between the ePrivacy Directive and the GDPR, an appeal to an offence under Article 6(1) of the GDPR can only be considered if the requirements for lawful processing under the ePrivacy Directive are also met (judgment of 17 June 2021, C-597/19, from paragraph 97). According to the case law of the ECJ, in the interaction between the ePrivacy Directive and the GDPR, an appeal to an offence under Article 6, paragraph 1, GDPR can only be considered if the requirements for lawful processing under the ePrivacy Directive are also met (judgment of 17 June 2021, C-597/19, from paragraph 97).
In the present case, however, no valid consent and therefore no lawful processing under the ePrivacy Directive and the GDPR can be assumed, since at the first level of the cookie banner (the request for consent) there was no possibility of not giving consent or of entering the website without giving consent (see finding of fact C.3.).
In particular, this means that an unambiguous expression of intent in accordance with Art. 4(11) GDPR cannot be assumed (for the design of a request for consent, see also point D.8.(b) of the decision in question). Expression of will in accordance with Article 4, Section 11, GDPR can be assumed (for the design of a request for consent, see also point D.8. b) of the current decision).
The consequence of unlawful processing is the obligation of the controller to delete the data in accordance with Article 17, Paragraph 1, Letter d, GDPR. There is no exception under Article 17, Paragraph 3, GDPR. The consequence of unlawful processing is the obligation of the controller to delete the data in accordance with Article 17, Paragraph 1, Letter d, GDPR. There is no exception under Article 17, Paragraph 3, GDPR.
This in turn is linked to the obligation to inform the recipients - in this case these are in particular the providers of the tools that the BG has implemented on its website - about the deletion in accordance with the first sentence of Article 19 of the GDPR. This in turn is linked to the obligation to inform the recipients - in this case these are in particular the providers of the tools that the BG has implemented on its website - about the deletion in accordance with the first sentence of Article 19 of the GDPR.
In order to prove compliance with the notification obligation set out in Article 19 of the GDPR, the BG bears the burden of proof in accordance with Article 5 Paragraph 2 (in conjunction with Article 24 Paragraph 1) leg. cit. according to the case law of the ECJ. In order to prove compliance with the notification obligation set out in Article 19 of the GDPR, the BG bears the burden of proof in accordance with Article 5 Paragraph 2 (in conjunction with Article 24 Paragraph 1) leg. cit. according to the case law of the ECJ. Such evidence was not provided by the BG in the context of the present proceedings - despite the possibility being granted and an explicit request from the data protection authority (see the judgment of the ECJ of 4 July 2023, C-252/21, para. 95). Such evidence was not provided by the BG in the context of the present proceedings - despite the possibility being granted and an explicit request from the data protection authority (see the judgment of the ECJ of 4 July 2023, C-252/21, para. 95).
At no point did the BG rely on an exception under Article 19, first sentence of the GDPR, and it is also not apparent to what extent the notification would represent a disproportionate effort in the context of an individual case. At no point did the BG rely on an exception under Article 19, first sentence of the GDPR, and it is also not apparent to what extent the notification would represent a disproportionate effort in the context of an individual case.
In view of the fact that the bP’s data was processed unlawfully for the reasons set out above, it seems necessary to comply with the obligation to provide information in accordance with Art. 19 of the GDPR and, in the opinion of the data protection authority, the offence of disproportionateness does not come into consideration.In view of the fact that the bP’s data was processed unlawfully for the reasons set out above, it seems necessary to comply with the obligation to provide information in accordance with Article 19 of the GDPR and, in the opinion of the data protection authority, the offence of disproportionateness does not come into consideration.
Against this background, according to the saying, a performance order had to be issued.
Regarding point 2
D.5. On the right to deletion (complaint A)
As stated, the BG does not currently store the information that can be considered personal data of the bP - i.e. the IP address and the cookie values of the bP's end device.
According to the jurisprudence of the BVwG, there is also no subjective right to determine that the rights of those affected - here: the right to deletion - were fulfilled too late if at all (cf. the BVwG's decision of January 31, 2020, GZ: W258 2226305-1 and there additional evidence listed). subjective right to determine that the rights of those affected - here: the right to deletion - were complied with at best too late (see the BVwG's decision of January 31, 2020, GZ: W258 2226305-1 and the other evidence cited there).
At least at the time of the decision, no violation of Article 17 of the GDPR can be assumed. At least at the time of the decision, no violation of Article 17 of the GDPR can be assumed.
D.6. On the application for an order against the BG to end the unlawful processing (complaint B)
In addition, the bP has submitted an application to order the BG to stop the unlawful processing.
According to Article 77 Paragraph 1 of the GDPR, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, according to Article 77, Paragraph 1, of the GDPR , their place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data concerning them infringes this Regulation."
It can be seen from the wording of Article 77, Paragraph 1 of the GDPR that any requests made as part of a complaint procedure - to the extent that they can be assumed to be admissible - are based on the wording of Article 77, Paragraph 1, of the GDPR It can be seen that any requests made as part of a complaint procedure must - to the extent that they can be assumed to be admissible - relate to the person of the complaining party (“personal data relating to them”).
However, as already stated, the BG does not currently store the bP's data that is the subject of the complaint, so that no remedial power can be exercised that relates to the bP's personal data.
Given the final nature of the remedial powers of Art. 58 Para. 2 GDPR (cf. again the decision of the Administrative Court of September 1, 2022, Ra 2022/04/0066) and the wording of Art. 77 Para. 1 GDPR and § 24 Paragraph 1 DSG (character of the remedial powers of Article 58, paragraph 2, GDPR, compare again the decision of the Administrative Court of September 1, 2022, Ra 2022/04/0066) and the wording of Article 77, paragraph one, GDPR and paragraph 24, Paragraph one, DSG (violates and does not: “has violated” or “will be violated”; English language version of the GDPR: “infringes”, French language version of the GDPR: “constitue”), no order can be issued as part of a complaint procedure refers to data processing pro future (i.e. in the event that bP accesses the website again in the future).
This means that the content of bP's abstractly formulated violations in connection with the cookie banner no longer needs to be addressed. Such violations of the GDPR must (if necessary) be addressed officially.
Insofar as the bP finally argues that a responsible supervisory authority can also issue an order that “goes beyond the bP’s personal data”, it must be countered that such a “popular complaint” (i.e. a complaint that does not only concern the bP as a person). ) is inadmissible (cf. the DSB's decision of November 26, 2018, GZ: DSB-D216.697/0011-DSB/2018). (i.e. a complaint that does not only affect the bP person) is inadmissible, compare the DSB's decision of November 26, 2018, GZ: DSB-D216.697/0011-DSB/2018).
If you look at it another way, there would be no room for the possibility of member states provided for in Article 80, paragraph 2 of the GDPR to provide for a right of appeal for data protection organizations, which is independent of an order from a person. GDPR allows member states to provide for a right of appeal for data protection organizations, which exists independently of an order from a specific data subject. However, the Austrian legislature has not currently made use of this option.
Regarding point 3
D.7. On the bP's application of December 30, 2022 for a declaration of an alleged violation of the right to secrecy (complaint point C)
According to Section 24, Paragraph 4 of the DSG, the right to have a complaint dealt with expires if the person intervening does not respond to it. According to Section 24, Paragraph 4, DSG, the right to have a complaint dealt with expires if the person intervening does not respond to it within one year of becoming aware of it the event causing the offence, but no longer than three years after the alleged event took place. Late complaints must be rejected in accordance with Section 24 Para. 4 last sentence DSG, but no later than three years after the alleged event took place. Late complaints must be rejected in accordance with paragraph 24, paragraph 4, last sentence of the DSG.
Section 24 (4) DSG refers to an adverse event as the trigger for the deadline to expire. The visit to the website https://www.runningsport***.com/ on September 24, 2021 - and the associated data processing - comes into consideration as such an event. Paragraph 24, Paragraph 4, DSG refers to an adverse event as the trigger for the deadline to expire. The visit to the website https://www.runningsport***.com/ on September 24, 2021 - and the associated data processing - comes into consideration as such an event.
The submission of the supplementary application dated December 30, 2022, i.e. after more than a year from knowledge of the adverse event (website visit), therefore turns out to be late and the bP's right to have this application processed had already expired at the time of the supplement, which is why the Complaint on this point in accordance with Section 24 Paragraph 4 DSG and the bP's right to have this application processed had already expired at the time of the addition, which is why the complaint on this point had to be rejected in accordance with Section 24 Paragraph 4 DSG.
In this context, it should be noted that, according to the established judicature of the Administrative Court, inadequacies in an attachment that do not affect its completeness but rather its chances of success are not subject to an order to correct the defects (cf. instead of many, the decision of the Administrative Court of April 20, 2022, Ro 2018/06 /0001). impair, are not accessible to any order to rectify defects, see instead the decision of the Administrative Court of April 20, 2022, Ro 2018/06/0001).
Neither from the GDPR nor from the DSG can it be deduced that in the event of an assertion of a violation of e.g. Art. 17 GDPR must also contain a request to the data protection authority that a past violation of the law can be determined. In other words: The subject of the complaint can only be a violation of Art. 17 GDPR and a violation of Section 1 Paragraph 1 DSG or Art. 6 Paragraph 1 GDPR does not have to be asserted at the same time. Neither from the GDPR nor from it It can be deduced from the DSG that in the event of an assertion of a violation of e.g. Article 17, GDPR also requires that a request to the data protection authority be included that a past violation of the law can be identified. In other words: The subject of the complaint can only be a violation of Article 17, GDPR, and a violation of paragraph one, paragraph one, DSG or Article 6, paragraph one, GDPR does not have to be asserted at the same time.
In the present case, a complete complaint with clear requests was submitted with the original submission of August 9, 2022, which was therefore not accessible to any order to correct the defects.
Regarding point 4
D.8. To the performance mandate
a) General
Pursuant to Article 58(2)(d) of the GDPR, the data protection authority has remedial powers that allow it, among other things, to instruct a controller to change or carry out processing operations in a specific way and within a specific period of time. The data protection authority has remedial powers under Article 58, paragraph 2, letter d of the GDPR, which allow it, among other things, to instruct a controller to modify or carry out processing operations in a certain way and within a certain period of time.
According to the case law of the BVwG, it is permissible for the data protection authority to exercise its powers set out in Article 58, Paragraph 2 of the GDPR, even in the complaint procedure uses standardized powers ex officio (cf. the above decision of November 16, 2022, Zl. W274 2237056-1/8E). Use compare the above. Findings from November 16, 2022, Zl. W274 2237056-1/8E).
The BVwG's considerations are also in line with the case law of the ECJ, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified deficiencies (cf. the ECJ judgment of July 16, 2020 C-311/18 Rz 111 ). is to make use of its remedial powers in the event of identified inadequacies (see the judgment of the ECJ of July 16, 2020 C-311/18 Rz 111).
The complaint in question was ultimately rejected because, among other things, the bP's data had been deleted in the meantime. However, this does not change the fact that, in the opinion of the data protection authority, the cookie banner in question (or more specifically: the request for consent) does not comply with the requirements of the GDPR.
To assess how the cookie banner and the interaction options are to be understood, the figure of an averagely informed, attentive and circumspect consumer must be used (cf. the judgment of the ECJ of 16 July 1998, C-210/96 [ informed, attentive and circumspect consumer, see the judgment of the ECJ of 16 July 1998, C-210/96 [Gut Springenheide GmbH] para. 37; the decision of the BVwG of 13 December 2022, GZ: W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Art. 12 para. 11; ] para. 37; the decision of the BVwG of December 13, 2022, GZ: W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Article 12, para. 11; Illibauer in Knyrim, DatKomm Art. 12 para. 39; with regard to the DSG 2000 also , DatKomm Article 12, para. 39; with regard to the DSG 2000 also Jahnel, Handbook para. 7/22 with further references).
Based on this standard, the following must be noted for the present case:
b) Regarding the performance contract according to 4. a) of the ruling
Giving consent for cookies must be just as easy as revoking it (cf. Art. 7 Para. 3 GDPR and the ECJ ruling of October 27, 2022, C-129/21, para. 65). Giving consent for cookies must be just as easy as revoking it (cf. Article 7, Paragraph 3, GDPR and the ECJ ruling of October 27, 2022, C-129/21, para. 65).
In conclusion, not giving consent (or closing the cookie banner and continuing to surf without consent) must be just as easy as giving consent. Not giving consent (or closing the cookie banner and continuing to surf without consent) must therefore not require more interactions with the cookie banner than giving consent.
In the present case, a cookie banner is used as a request for consent for the use of cookies (and the associated processing of personal data). Specifically, on the first level of the cookie banner there is only the option to accept the cookie banner ("ACCEPT"). If, on the other hand, you want to reject consent, you must use the "LEARN MORE" option on the second level under "Cookies Choices" to reject consent ("Decline").
However, data subjects cannot be required to only make the decision not to give consent on a button (such as a cookie banner) on a second or third level, as this cannot be assumed to be an unambiguous expression of will within the meaning of Art. 4(11) GDPR. Expression of will within the meaning of Article 4(11) GDPR can be assumed.
In particular, it cannot be ruled out that data subjects chose the "Accept" option simply because, from their point of view, there was no immediate option to "Reject" or because, due to the design, they did not even realize that a "Reject" option was available. The BG also bears the burden of proof for the validity of each consent (see the judgment of the ECJ of 4 July 2023, C-252/21, para. 95).In particular, it cannot be ruled out that data subjects chose the "Accept" option simply because, from their point of view, there was no immediate option to "Reject" or because, due to the design, they did not even realize that a "Reject" option was available. The BG also bears the burden of proof for the validity of each consent (see the judgment of the ECJ of 4 July 2023, C-252/21, para. 95).
In addition to the above-mentioned case law of the ECJ, it must be taken into account that a procedure whereby data subjects are required to carry out more interactions in order to not give their consent than in order to give their consent cannot comply with the principle of data processing in good faith (“fairly processed”) pursuant to Art. 5 Paragraph 1 Letter a of GDPR, nor with the principle of data protection by design pursuant to Art. 25 Paragraph 1 Leg. cit. This fact also speaks in favor of the interpretation of Art. 4 Paragraph 11 in conjunction with Art. 7 GDPR advocated by the data protection authority.In addition to the above-mentioned case law of the ECJ, it must be taken into account that a procedure whereby data subjects are required to carry out more interactions in order to not give their consent than in order to give their consent cannot comply with the principle of data processing in good faith (“fairly processed”) pursuant to Article 5 Paragraph 1 Letter a of GDPR, nor with the principle of data protection by design pursuant to Article 25 Paragraph 1 Leg. cit. This fact also speaks in favor of the interpretation of Article 4, paragraph 11, in conjunction with Article 7, GDPR, advocated by the data protection authority.
This view ultimately corresponds to the view of the EDSA (see Report of the work undertaken by the Cookie Banner Taskforce, p. 4 f., available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-taskforce_en).This view ultimately corresponds to the view of the EDSA (see Report of the work undertaken by the Cookie Banner Taskforce, p. 4 f., available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-taskforce_en).
A further requirement for a "Reject" option at the first level is that it is visually equivalent to the "Accept" option. This means in particular that both options must be equally visible. The "FAQ on cookies and data protection" can be used as an aid for the visual design of the cookie banner (available on the website of the data protection authority, see in particular question 7 and question 8). In addition, a "Reject" option at the first level must be designed to be equivalent to the "Accept" option from a visual point of view. This means in particular that both options must be equally visible. The "FAQ on cookies and data protection" can be used as an aid for the visual design of the cookie banner (available on the website of the data protection authority, see in particular question 7 and question 8).
c) On the performance contract according to 4. b) of the ruling
As already stated, giving consent must be just as easy as revoking it (see again Art. 7 Para. 3 GDPR and the judgment of the ECJ of October 27, 2022, C-129/21 para. 65). In the online context, it must therefore be clear where and how consent can be revoked. As already stated, giving consent must be just as easy as revoking it (see again Article 7, paragraph 3, GDPR and the ECJ judgment of October 27, 2022, C-129/21, paragraph 65). In the online context, it must therefore be clear where and how consent can be revoked.
In the present case, there is no simple and clearly visible indication in the cookie banner itself explaining where consent can be revoked.
There is a "Cookie Choices" button at the bottom of the website https://www.runningsport***.com/ and various preferences for cookies and revocation can be given in the menu (see factual findings C.6.). However, this alone is not sufficient, because it must already be clear from the cookie banner, i.e. at the time the consent is given, how it can be revoked.
In particular, a data subject cannot be expected to search the website to revoke consent.
The BG will therefore have to implement a solution in which it is already clear in the cookie banner where the consent can be revoked.
d) On the performance contract according to 4. c) of the ruling
The use of cookies (and the associated processing of personal data) which are not technically necessary for the use of a website requires prior consent (cf. Art. 29-WP Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN p. 9 ff). for the use of a website requires prior consent (cf. Article 29 -, W, P, Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN p. 9 ff).
According to the case law of the BVwG, Article 5 (3) of Directive 2002/58/EC as amended (in conjunction with Section 165 (3) TKG 2021) is also not to be interpreted in the sense of an “economic necessity”. This means that, for example, advertising cookies are used to display personalized advertising. According to the case law of the BVwG, Article 5 (3) of Directive 2002/58/EC as amended (in conjunction with Section 165 (3) TKG 2021) is also not to be interpreted in the sense of an “economic necessity”. This means that, for example, advertising cookies for displaying personalized advertising do not become “technically necessary” simply because the display of personalized advertising is necessary to finance the operation of the website (see the decision of the BVwG of March 12, 2019, GZ: W214 2223400-1 and the “FAQ on cookies and data protection,” available on the website of the Data Protection Authority, in particular question 5).
It should be noted that the exception contained in Section 165, Paragraph 3, TKG 2021 “Provision of an expressly requested information society service” (as well as the associated wording “absolutely necessary”) is to be interpreted restrictively. For the admissibility of cookies, this means that they must be absolutely necessary for the provision of the service and that there must be a clear connection with the service expressly requested by the subscriber or user (cf. Riesz in Riesz/Schilchegger (ed.), TKG (2016) Paragraph 96, Rn 48). Likewise, the opinion of the former Art. 29-WP cited at the beginning states that it must be examined what is absolutely necessary from the point of view of the user, not the service provider. Likewise, the opinion of the former Article 29 -, W, P, cited at the beginning states that it must be examined what is absolutely necessary from the point of view of the user, not the service provider.
The BG qualifies analysis cookies, e.g. J***Data Analytics, as technically necessary cookies (“strictly necessary cookies”)]. However, it should be noted that, based on the considerations presented, analysis cookies are in any case not to be regarded as technically necessary cookies (see also the decision of the BVwG of May 12, 2023, W245 2252208-1/36E and W245 2252221-1/30E on J***Data Analytics and the personal reference of J***Data Analytics cookies). ")]. However, it must be countered that, based on the considerations presented, analysis cookies are in any case not to be regarded as technically necessary cookies (see also the decision of the BVwG of May 12, 2023, W245 2252208-1/36E and W245 2252221-1/30E for J***Data Analytics and the personal reference of J***Data Analytics cookies).
The BG will therefore have to adapt its website accordingly so that prior consent is obtained for the use of such analysis cookies and the associated data processing.
It was therefore necessary to decide in accordance with the ruling.
