Editing Datatilsynet (Denmark) - 2021-431-0125

{{DPAdecisionBOX

|Jurisdiction=Denmark
|DPA-BG-Color=
|DPAlogo=LogoDK.png
|DPA_Abbrevation=Datatilsynet (Denmark)
|DPA_With_Country=Datatilsynet (Denmark)

|Case_Number_Name= 2021-431-0125
|ECLI=

|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2021/okt/alvorlig-kritik-af-alstroem-din-isenkraemmer-aps’-behandling-af-personoplysninger-om-hjemmesidebesoegende
|Original_Source_Language_1=Danish
|Original_Source_Language__Code_1=DA

|Type=Complaint
|Outcome=Upheld
|Date_Decided=20.10.2021
|Date_Published=
|Year=2021
|Fine=None
|Currency=

|GDPR_Article_1=Article 4(11) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#11
|GDPR_Article_2=Article 6(1)(a) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1a



|Party_Name_1=Alstrøm – Din Isenkræmmer ApS
|Party_Link_1=https://www.alstrom.dk
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=n/a
|
}}

The Danish DPA criticised a company for their website's cookie consent form. The pop up boxes on the website were designed to make it more difficult to reject the use of cookies than to accept such use.

== English Summary ==

=== Facts ===
A data subject had made a complaint regarding the controller's use of cookies on their website. The controller had relied on consent as a legal basis. The controller had first requested consent through a pop up box stating that the website used cookies. The pop up box contained two hyperlinks labeled "Read more about cookies" and "Close". During the DPA's investigation, the controller had introduced a new method of requesting consent. The controller's second solution included more information about the processing, as well as the option to opt out of processing for specific purposes from a list. With the new solution, the user had the choice between two hyperlinks labeled "ACCEPT ALL" and "Accept". The Danish DPA assessed both the first and the second consent request solution.

=== Holding ===

==== Solution 1: alternatives "Read more about cookies" and "Close": ====
The DPA held that the controller had not obtained legal basis for the use of cookies when the first solution was practised cf. [[:Category:Article 6(1) GDPR|Article 6(1) GDPR]]. The data subject did not have the option to consent to processing for particular purposes. More importantly, the controller offered no opt-out solution for the use of cookies. The data subject therefore had no choice in the matter when visiting the website. As a consequence, the DPA issued severe criticism of the processing activities.

==== Solution 2: alternatives "ACCEPT ALL" and "Accept": ====
The DPA then had to assess whether the amendments made to the methods for obtaining consent were sufficient. The DPA held that although the data subject now had the possibility to reject all cookies, the website had been designed in a way that ushered the data subject to click the "ACCEPT ALL" box. It had been easier for the data subject to consent to the use of cookies than to reject such use. The DPA therefore issued criticism of the second solution. 

Lastly, the DPA also issued severed criticism of the processing activities after the second solution was implemented because the cookie tracking began before obtaining the data subject's consent. The website's cookies were applied to every visitor from the moment they accessed the website. 

== Comment ==
''Share your comments here!''

== Further Resources ==
''Share blogs or news articles here!''

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

<pre>


		

	
	
		


</pre>