Rb. Amsterdam - ECLI:NL:RBAMS:2323:6530: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 73: Line 73:
On 8 August 2023, in response to the CNIL decision against Criteo, the data subject, a Dutch resident wrote to both Criteo’s Dutch establishment (Criteo B.V.) and their French establishment (Criteo S.A.) requesting them to cease unlawfully processing their data, to provide them with a copy of their data (Article 15 GDPR access request), and to delete all data related to them (Article 17 GDPR erasure request). Included in the letter, was a report by an independent technical expert that the data subject had contracted, which demonstrated that cookies had been placed on the data subject’s devices without their consent and that their data had been processed without their consent by websites belonging to the Criteo group.  
On 8 August 2023, in response to the CNIL decision against Criteo, the data subject, a Dutch resident wrote to both Criteo’s Dutch establishment (Criteo B.V.) and their French establishment (Criteo S.A.) requesting them to cease unlawfully processing their data, to provide them with a copy of their data (Article 15 GDPR access request), and to delete all data related to them (Article 17 GDPR erasure request). Included in the letter, was a report by an independent technical expert that the data subject had contracted, which demonstrated that cookies had been placed on the data subject’s devices without their consent and that their data had been processed without their consent by websites belonging to the Criteo group.  


On 7 September 2023, Criteo’s legal representatives responded. Criteo refused the data subject’s requests on the grounds that Criteo was not the controller. They argued that the operators of the websites were responsible for the non-compliant cookie practices and not Criteo.  
On 7 September 2023, Criteo B.V.'s and Criteo S.A.'s legal representatives responded in the same email. Criteo refused the data subject’s requests on the grounds that Criteo was not the controller. They argued that the operators of the websites were responsible for the non-compliant cookie practices and not Criteo.  


On 21 September 2023, the data subject instigated summary proceedings against Criteo’s Dutch and French establishments in the Amsterdam District Court (Rechtbank Amsterdam). In their submissions to the Court, the data subject made three requests: (i) that the Court order Criteo to stop placing cookies on user devices without consent, (ii) that Criteo respond to their access request, and (iii) that Criteo fulfil their erasure request.
On 21 September 2023, the data subject instigated summary proceedings against Criteo’s Dutch and French establishments in the Amsterdam District Court (Rechtbank Amsterdam). In their submissions to the Court, the data subject made three requests: (i) that the Court order Criteo to stop placing cookies on user devices without consent, (ii) that Criteo respond to their access request, and (iii) that Criteo fulfil their erasure request.

Revision as of 15:51, 30 October 2023

Rb. Amsterdam - ECLI:NL:RBAMS:2323:6530
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(a) GDPR
Article 11.7a of the Telecommunications Act
Decided: 18.10.2023
Published: 20.10.2023
Parties: Criteo
National Case Number/Name: ECLI:NL:RBAMS:2323:6530
European Case Law Identifier: ECLI:NL:RBAMS:2323:6530
Appeal from:
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: Rb Amsterdam (in Dutch)
Initial Contributor: n/a

The Amsterdam District Court ruled that digital advertising platform, Criteo, was in violation of Article 6(1) GDPR for failing to obtain users’ consent prior to placing tracking cookies on their devices. Moreover, it held that Criteo and its third-party partner companies, were joint controllers for the purpose of Article 26 GDPR, and thus both Criteo and its partner companies were responsible for ensuring that valid consent had been obtained prior to the placement of cookies.

English Summary

Facts

On 15 June 2023, the CNIL (the French DPA) fined Criteo S.A. € 40,000,000 for their unlawful cookie practices. Criteo is a digital advertising platform that enables businesses to target customers through personalised advertising. As part of their business model, Criteo places tracking cookies on user devices through their partner websites. The CNIL fined Criteo because it collected cookies without having obtained prior user consent, and even in cases where users had refused consent, their websites still collected cookies.

On 8 August 2023, in response to the CNIL decision against Criteo, the data subject, a Dutch resident wrote to both Criteo’s Dutch establishment (Criteo B.V.) and their French establishment (Criteo S.A.) requesting them to cease unlawfully processing their data, to provide them with a copy of their data (Article 15 GDPR access request), and to delete all data related to them (Article 17 GDPR erasure request). Included in the letter, was a report by an independent technical expert that the data subject had contracted, which demonstrated that cookies had been placed on the data subject’s devices without their consent and that their data had been processed without their consent by websites belonging to the Criteo group.

On 7 September 2023, Criteo B.V.'s and Criteo S.A.'s legal representatives responded in the same email. Criteo refused the data subject’s requests on the grounds that Criteo was not the controller. They argued that the operators of the websites were responsible for the non-compliant cookie practices and not Criteo.

On 21 September 2023, the data subject instigated summary proceedings against Criteo’s Dutch and French establishments in the Amsterdam District Court (Rechtbank Amsterdam). In their submissions to the Court, the data subject made three requests: (i) that the Court order Criteo to stop placing cookies on user devices without consent, (ii) that Criteo respond to their access request, and (iii) that Criteo fulfil their erasure request.

Holding

Before considering the merits of the case, the Court considered issue of jurisdiction. The Court held that it was competent to hear the case on the basis of Article 79(2) GDPR, as the data subject’s habitual residence was in the Netherlands.

On the merits of the case, the Court held that Criteo B.V., Criteo S.A., and their partner websites were joint controllers for the purposes of Article 26 GDPR. It held that their cookie practices were (i) in violation of Article 6(1)(a) GDPR, and (ii) Article 11.7a of the Dutch Telecommunications Act.

(i) Firstly, the Court held that Criteo and its partner websites were in violation of Article 6(1)(a) GDPR because they purported to rely on consent for their processing, however, consent was not valid. The expert report submitted by the data subject (claimant) proved that out of 39 of the 40 websites visited, tracking cookies from Criteo were placed on the data subject’s devices without their prior consent. Moreover, in instances where the data subject had refused consent, the websites placed cookies regardless. As joint-controllers, Criteo was responsible for ensuring that consent was validly obtained. (ii) Secondly, the Court held that Criteo and its partner websites were in violation of Article 11.7a of the Dutch Telecommunication Act. This provision states that storing cookies on a user’s device is only lawful if the user has consented to it.

As a result, the Court ordered Criteo to (i) stop placing cookies on user devices without consent, (ii) to respond to the data subject’s access request, and (iii) to fulfil the data subject’s erasure request. The Court gave Criteo 7 days from the date of the judgment to comply with its orders. In the instance of non-compliance, Criteo would face a daily fine of €250 per violation, and up to a maximum of €25,000 cumulatively per violation.

Comment

The complete version of Article 11.7a of the Telecommunications Act states that:

  1. Without prejudice to the General Data Protection Regulation, storing or accessing information in a user's peripheral equipment via an electronic communications network is only permitted on condition that the user concerned:

a. has been provided with clear and complete information in accordance with the General Data Protection Regulation, at least about the purposes for which such information is used, and b. has consented to it.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Judgment of the judgment
RIGHT BANK AMSTERDAM

Department of Private Law, Provisional Law Civilian

number / rol number: C/13/739403 / KG ZA 23-829 EAM/MAH

Judgment in summary proceedings of 18 October 2023

in the case of

[Claimant] , it's , that's

living [inhabitary],

claimant by summons of 21 September 2023,

- lawyer Mr. M.H.L., MS. Hemmer in Rotterdam,

against

1. the private company with limited liability

CRITEO B.V.,

established in Amsterdam,

2. the legal person under French law

CRITEO S.A.,

located in Paris,

The defendants,

- Lawyers Mr. C. C. Jeloschek and Mr. S.A.M., M. Meijer in Amsterdam.

The plaintiff will be called [Claimant] and defendants together also Criteo. Defendants are designated separately as: the BV and the SA.
1 The procedure
1.1. .

At the session of 4 October 2023 [Claimant] the summons explained. Criteo has defended. Both parties have in jet productions and a plea.
1.2. 1.2.

The session was present:

- [Claimant] with Mr. - Hemmer, - Hemmer,

- on the side of Criteo: [name] (product manager, responsible for compliance), assisted by an interpreter of English, with mr. Jeloschek and Mr. Meijer. Meijer.
1.3. 1.3.

The judgment is determined today.

2. 2. The facts
2.1. . .
2.2. 2.2.

Criteo places so-called tracking cookies (including in any case the so-called "uid" cookie) on computers and/or other mobile devices via third-party websites. Tracking cookies contain a unique ID, a random list of characters, assigned to the browser of a particular website visitor. With every website that has a link with Criteo and that is visited with that browser, the same tracking cookie is read. The aim is to collect and analyse surfing behaviour, interests and/or other data of internet users for commercial purposes.
2.3. 2.3.

Criteo uses tracking cookies for targeted advertising, tailoring ads to individual users. This is done by creating user profiles and recognizing users when they visit the internet. Within a fraction of a second, the Real Time Bidding (RTB) System recognizes an internet user and an ad tailored to the respective user. Tracking cookies play an essential role in this.
2.4. 2.4.

On 15 June 2023, the National Commission imposed a fine of € 40,000,000 on Criteo SA for violation of various provisions of various provisions of the Libertés (CNIL), the French privacy regulator (CNIL), a fine of € 40 million on Criteo SA for violations of various provisions of the GDPR. According to the CNIL press release, this was “in particular for for failing to verify that the persons from whom it processed data had given their consent”. That message also states that the CNIL has submitted its decision to the other 29 European regulators, as they were all involved in this “cross-border case”, and that they gave their approval.
2.5. 2.5.

By letters of 8 August 2023 the lawyer of [claimant] wrote to the SA (in English) and the BV (in Dutch) that Criteo

- tracking cookies (in any case the uid cookie) via third-party websites will place on [plaintiff] devices without their consent, and

- the personal data obtained from [claimant] processed, also without his consent,

- and thus acts in violation of Article 11.7a(1) of the Telecommunications Act (Tw) and Article 5 (1) (a), 6 paragraph 1, 7, 13 and 14 General Data Protection Regulation (GDPR).

In support of substantiation, [Claimant] relies on an investigation by an independent technical expert, which would show that [the plaintiff] has been followed by members of the Criteo group on four websites named.

Criteo is finally summoned in the letter to confirm within seven days that they

1) the unlawful conduct directly ceases,

2) within one month (i) that the SA and/or the BV are controllers, (ii) with regard to which specific processing activities and (iii) which other controllers there are (possibly) within the Criteo group,

3) within one month in accordance with Art. 15 GDPR, giving access to the unlawfully processed personal data of [claimant],

4) provides information within one month in accordance with Art. 15 (1) and 2 GDPR, including an overview of group entities and (other) third parties who have received unlawfully processed personal data from [claimant] and information about, among other things, the cookie ID concerning [the plaintiff] ,

5) delete the unlawfully processed personal data of [claimant] within one month and after the above information provided,

6) within one month all group entities and (other) third parties, included in the overview referred to in point 4), informs about this request for removal so that they can also proceed to erasure.
2.6. 2.6.

By e-mail of 30 August 2023, Criteo’s lawyer, summarised, replied as follows.

Criteo will respond to claims 2) to 6 p. law in accordance with Art. 12 para. 3 GDPR.

Criteo assumes that the announced summary proceedings will be off the track.
2.7. . .

By e-mail of September 5, 2023, the [claimor]’s lawyer has:

- the protections of Criteo rejected,

- a report promised that many more websites place Criteo cookies without prior permission, and

- included screenshots that would show that Criteo still places or reads cookies without permission, at least on two of the websites mentioned in the letter of 8 August 2023.
2.8.

Criteo’s lawyer emailed [the plaintiff]’s lawyer on September 7, 2023:

“... Your assumption that Criteo denies responsibility is false. In fact, only the website operators are technically in a position to correct the implementation of the technology on their digital properties. Thus, the obligation to obtain consent resides with the website operators and Criteo indeed is a contractual and contractually entitled to rely on the collection of consent. Now the operators of the two-emed websites in your email have not taken sufficient measures in response to Criteo's notice demandings it to with their obligation their to obtain consent from website users, please please know-atly informed that Criteo has immediately now proceeded to take actions to its terminate commercial relationship with these two website operators in the regions affected. Accordingly, Criteo will be a sure will that the website operators will any remove any Criteo technology from their digital properties as soon as possible. To be clear, the CNIL confirmed in itself its decision that it that considers that Criteo now complies with the requirements of the GDPR in this regard.

Criteo res its commitment to accordance act in with the law and invites your client to make use of the Criteo opt-out mechanism or the indicated browser-positioned mechanisms in our letter of August 30.

We, we do not know any more respect your request your client to communicate to Criteo the names of the other websites that allegedly do not collect consent properly.

In view of the above, there is no need to file summary. [...]” . . . . .
2.9. 2.9.

By e-mail of 8 September 2023, Criteo has extended the period for responding to the information and access requests of 8 August 2023, with reference to Art. 12 (3) GDPR.
2.10.

On 21 September 2023 the summons in this summary proceedings were issued, with a production 19 and 29 (English and Dutch version of an expert report (hereafter referred to as: the Report) of Floor Terra of the Privacy Company in The Hague, dated 1 September 2023, was added. In the Report, the visit (stored on a so-called HAR file) of [plaintiff] on 29 August 2023 is analysed to 40 websites (para. 3), five of which are in detail (viata.nl, brandfield.nl, otto.nl, jaap.nl and kookwinkel.nl).

In par. 3 include the following:

“During the loading of 39 of these sites, Criteo interacted with cookies on the user’s device [” [plaintiff] of his domains criteo.com and bidswitch.net without the user’s permission. Each of these websites has a cookie banner that apparently offers the user the choice to accept all cookies or change the settings to refuse all cookies or different categories of cookies.”

The five mentioned websites shall always be found that it sent various network requests to Criteo without waiting for a consent signal from [equip], with the request header being sent to criteo.com in the request header:

- as cookie information: uid : [the number/letter series ending in eac359 linked to [plaintiff]]

- as a ‘referrer’: the URL of the website (e.g. www.otto.nl).

The unique uid of [Claimant] has been sent to Criteo together with the visited website.

Four of these five websites also say that:

- a network request has been sent to bidswitch.net, which is also owned by Criteo and places unique persistent cookies for each user, and

- cookie syncing network requests called Criteo were sent to other Adtech companies (including adnxc.com (Xander, owned by Microsoft)).

The conclusion is always that Criteo has read the uid cookie on the [claimant] device countless times before he had given permission, together with a reference to the website itself. “Criteo therefore collected information about [ [plaintiff] ] and recorded that [”plaint] visited this website without any legal basis.”

The summary of the analysis of the five websites is:

“(...) On all these websites, the uid cookie from Criteo is read out by the criteo.com domain without permission. (...) From the above link [to Criteo's cookie statement - vzr] it is clear that the purpose of the ID is to collect profile data and use it to target advertising. Criteo also tracks users through its domain bidswitch.net and regularly synchronizes cookies with many other Adtech companies without permission. The other 34 locations visited by the gentleman [Claimant] are closely related to the activities of the 5 sites analysed above.”

The researcher has also tested the five websites himself and reports them in par. 4 of the Report, after which it concludes that the findings apply not only to [claimant] but to different users.

The conclusion (par. 5) of the Report is:

“As evidenced by the analysis of the HAR file, Criteo has placed cookies many times without permission without permission and read cookies on the User’s browser. The uid cookie is a permanent unique identifier for the User, and Criteo has set a record of User’s visits to these websites without the knowledge or consent of the User.

As the above analysis of the websites shows, this behavior is consistent on these and possibly many other sites. Criteo thus performs the same behavior when a user visits these and many other sites, resulting in large-scale profiling of Dutch citizens without their knowledge or consent.”

The report is accompanied by a list of 39 websites.
2.11.1.

On behalf of the SA “and its affiliates and subsidiaries (“Criteo”), her lawyer emailed the following response to the sommations 2 to August 8, 2023, from the letter of August 8, 2023, to:

2) (i) Confirmed that Criteo SA is a data controller.

(ii) All processing activities conducted by Criteo for the purpose of providing its services.

Criteo SA acts as the data controller for the Criteo group.

3) The data export in the excel sheet (Appendix 1) contains the personal data in Criteo's systems relating to the communicated cookie ID. In addition, the data attached description table (Appendix 2) explains the contents of the data export. To be clear, if a table in Appendix 1 is empty this means that Criteo does not process any such personal data relating to the cookie communicated ID.

4) (i) Criteo has passed on the data of the communicated cookie ID to its legal advisors at Kennedy Van der Laan (...) and will do if so necessary to courts, if they are relevant to legal proceedings.

In accordance with article 15 (1) of the GDPR [General Data Protection Regulation ? GDPR – vzr.], the categories of recipients of personal data are:

    -
    - -

    Data platforms
    - -

    Partners allow us to match several identifiers
    - -

    Partners allowing us to locate you inaccurately
    - -

    Our subsidiaries and affiliates
    - -

    Any recipient necessary to comply with legal, regulatory, judicia! or administrative obligations

(ii) The personal data in Criteo's systems related to the communicated cookie ID is included in Appendix 1.

5) Criteo has deleted the communicated cookie ID from its system, so that Criteo can no longer assign any data to the cookie communicated ID and will also no no no collect any data on the communicated cookie ID in the future. Appendix 1 will, itself, continue to be stored outside the Criteo system until the legal claim related to it has ended.

6) Criteo is notifyinging the recipients mentioneds in the report that made September 1, 2023 that was provided as part of [pclaimer]'s legal claim against Criteo (as exhibit 19), in order to enable them to erase personal data related to communicated the cookie ID.

Conclusion of the

Crite considerso to have fulfilled the above requests to exercise data subject rights in with the accordance with the GDPR.”
2.12. 2.12.

About the uid cookie is on the 1Criteo website 1:
3 The Dispute
3.1.

[the plaintiff] progresses, in summary:

I. I. Criteo to command the unlawful act by in order to cease (do) ceasegoing and cease to cease and cease by no longer, whether or not via third-party websites, placing tracking cookies on the computer and/or [claimant] devices before he has given legal permission,

II. II. Territories to be Territories to provide access to the processed personal data of [claimant] within seven days of the judgment date,

III. III. Territories to be Territories to provide information within seven days of judgment date, including specific information about third-party recipients in order to identify and, where necessary, to provide them with the processing operations that have taken place with [claimant] personal data,

The IV. to Territos Criteo to remove the personal data processed unlawfully within seven days of the judgment date,

V. V. Criteo to be Territos around

- within seven days of the judgment date all group entities and (other) third parties, included in the overview to be provided on the basis of edge number 3 [if intended: III. – fair], to inform the deletion request, so that these parties, at the explicit request of Criteo, also proceed to the deletion of the personal data and any other related information obtained or otherwise processed by means of the fore-named actions, insofar as they are necessary at the explicit request of Criteo.

- and to provide any so-called requests by Criteo to those group entities and (other) third parties,

everything under penalty for periodic penalty payments and with the joint and head of conviction of defendants in the procedural costs, with statutory interest.
3.2. 3.2.

Criteo is defending.
3.3. .

The positions of the parties are discussed hereafter, as far as important.
4 The review
Jurisdiction and applicable law
4.1. And 4.1.

Now that one of the defendants is established in France, first of all, the jurisdiction and the applicable law must be judged.
4.2. 4.2.

The Dutch preliminary relief judge is competent to rule on the claims, both on the basis of Article 79 paragraph 2 GDPR (ordinary residence concerned), Article 7 paragraph 2 of Regulation (EU) No. 1215/2012 of the European Parliament and of the Council on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Ia) (possicial) (place harmful fact) as Article 8 (1) Brussels Ia (close link between claims against the two defendants).
4.3. .

The claims are governed by Dutch law under Article 10:159 of the Dutch Civil Code and Article 4 paragraph 1 of Regulation (EU) No. 864/2007 of the European Parliament and of the Council on the law applicable to non-contractual commitments (Rome II).
4.4.

Criteo has not disputed this.

Urgent interest
4.5. 4.5.
4.6.

Contrary to what Criteo believes, [the plaintiff] has sufficient urgent interest in the claims.

What are tracking cookies?
4.7.4.

This case is about (third party) tracking cookies. The Data Protection Authority (AP) defines 2 cookies as follows:

“Cookies are small files that the owner of a website places on a visitor’s device. For example, on a computer, laptop, smartphone or tablet. For example, the owner can collect or store information about the website visit or about the visitor (the device of) the visitor.

Side form below

There are three types of cookies:

    -
    - -

    analytical cookies;
    - -

    tracking cookies.”

The AP says about tracking cookies 3:

“If cookies can also be read when visiting another website, we call this tracking cookies. These cookies allow organizations to track people’s internet behavior over time. Tracking cookies make it possible to create profiles of people (profiling) and treat them differently. Tracking cookies usually process personal data.

Personal interests can be derived from the information about visited websites. This allows organizations to show their website visitors, for example, targeted advertisements. (...) Do you process personal data of visitors to your website with tracking cookies? Then you must comply with the rules of the General Data Protection Regulation (GDPR).

Applicable regulations and regulations
4.8.

Article 11.7a The Telecommunications Act, to the extent relevant:

1. 1. Without prejudice to the General Data Protection Regulation, the storage or access to information in a user's peripherals via an electronic communications network is only permitted provided that the user concerned:

(a) is provided with clear and complete information in accordance with the General Data Protection Regulation, at least on the purposes for which this information is used; and

b. has given permission for this.
4.9. 4.9.

The GDPR is, where relevant:

Article 1 (Subject and Objectives)

2. 2. This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.

Article 5 (Cinches on the processing of personal data)

1. 1. Personal data must be:

(a) be processed in a manner lawful, decent and transparent in relation to the person concerned ('lawfulness, fairness and transparency');

[...] and [...]

f) by taking appropriate technical or organizational measures are processed in such a way as to ensure appropriate security, and that they are protected, inter alia, against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality').

2. 2. The controller is responsible for compliance with paragraph 1 and can prove it (accountability obligation).

Article 6 (Rightness of processing)

1. 1. The processing is lawful only if and to the extent that at least one of the following conditions is met:

a. (a) the data subject has given consent to the processing of his personal data for one or more specific purposes;

[...] or )

Article 7 (Conditions for consent)

1. 1. Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given consent to the processing of his personal data.

2. 2. If the person concerned gives consent in the context of a written statement that also covers other matters, the request for consent in an intelligible and easily accessible form and in clear and simple language shall be presented in such a way that a clear and simple distinction can be made with the other matters. Where part of such a declaration constitutes an infringement of this Regulation, that part shall not be binding.

3. 3. The data subject has the right to withdraw his consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent before its withdrawal. Before giving his consent to the data subject, he shall be informed. Withdrawing consent is as easy as giving it.

4.4. When assessing whether consent can be given freely, the question is taken, among other things, to the extent of whether the performance of a contract, including a service contract, requires consent for the processing of personal data that is not necessary for the performance of that agreement.

Article 12 (Transparent information, communication and detailed rules for the exercise of the rights of the data subject)

1. 1. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in connection with the processing in a concise, transparent, comprehensible and easily accessible form and in clear and simple language, ... The information shall be provided in writing or by other means, including, where appropriate, electronic means. [...] and [...]

3. 3. The controller shall provide the data subject with information without delay and in any event within one month of receipt of the request pursuant to Articles 15 to 22 of the action taken on the request. Depending on the complexity of the requests and the number of requests, that period may be extended by a further two months if necessary. The controller shall inform the data subject of such an extension within one month of receipt of the request. [...] or lyal )

[...] and [...]

5. 5. [...] and [...] Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may ...:

[...] and [...]

(b) refuse to comply with the request.

It is for the controller to demonstrate the manifestly unfounded or excessive nature of the request.

[...]”

Article 15 (Right of access by the person concerned)

1. 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her or her or her or her or her or her or her right to obtain access to such personal data and to the following information:

(a) the purposes of processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the period during which the personal data are expected to be stored, or, if not possible, the criteria for determining that period;

(e) the data subject has the right to request the controller rectification or erasure of personal data, or restriction of processing of personal data concerning you, as well as the right to object to such processing;

(f) that the data subject has the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, all available information about the source of that data;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

[...] and [...]

3. 3. The controller shall provide the data subject with a copy of the personal data processed. [...] and [...]

4.4. The right to obtain a copy referred to in paragraph 3 does not affect the rights and freedoms of others.

Article 17 (Right to erasure (‘right to oblivion’)’)

1. 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following circumstances applies:

[...] or )

the personal data have been unlawfully processed;

2. 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested the erasure by the controller to err any links to, or copy or replication of, those personal data.

[...] or )

Article 26 (Commuting Controllers)

1. 1. When two or more controllers jointly determine the purposes and means of processing, they are joint controllers. They shall establish, in a transparent manner, their respective responsibilities for the fulfilment of the obligations under this Regulation, in particular with regard to the exercise of the rights of the data subject and their respective obligations to provide the information referred to in Articles 13 and 14, by means of a mutual arrangement, unless and to the extent that the respective responsibilities of the controllers are established by a provision of Union or Member State law applicable to controllers. A contact point for those involved may be identified in the scheme.

2. 2. The rules referred to in paragraph 1 clearly show the role of the joint controllers and their respective relations with the data subjects. The essential content of the scheme shall be made available to the data subject.

3. 3. Irrespective of the conditions of the scheme referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against any controller.

Article 79 (Right to establish an effective judicial remedy against a controller or a processor)
1. 1. Without prejudice to any other administrative or extrajudicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, any data subject shall have the right to bring an effective judicial remedy if he considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data which does not comply with this Regulation.

[...] or )

Article 82 (Right to compensation and liability)

1. 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for damages for the damage suffered.

[...] or )

Claim I. prohibit tracking cookies placing [claimant] on device without permission
4.10.

The placing of tracking cookies is only permitted under Article 11.7a of the Telecommunications Act if prior permission has been obtained and if sufficient information has been provided. In addition, Criteo processes personal data of [claimant] by means of the tracking cookies, so that the requirements of the GDPR (including - also - prior consent pursuant to Art. 6 para. 1 lit. a GDPR) must also be met. With regard to - in any case - a uid cookie must be obtained from the user, such as [claimant], before a tracking cookie can be placed, read or otherwise used.
4.11.1.

Criteo acknowledges all this. Compliance with the privacy legislation (including the GDPR and Article 11.7a Tw) is stated, so it states, among other things, on its website and in its letters to [claimer], high on its agenda.
4.12. 4.12.

However, the letter of [Claimant] of 8 August 2023 and the expert report he submitted by him from 1 September 2023 shows that systematically (39 of the 40 websites visited) tracking cookies from/via Criteo have been placed on [claimant] devices without his prior consent.
4.13.3.

Criteo does not dispute that in itself, but she leads, in the nucleus, the following arguing:

1) not Criteo but its partners are responsible for obtaining consent,

2) Criteo acts as soon as a partner does not comply with its contractual obligation, it can no longer do so,

3) there is no urgent interest because Criteo has offered [the plaintiff] two methods with which he can stop unwanted cookies himself

Criteo is responsible for the permission
4.14.4.

According to Criteo, she provides services to its partners, the so-called ‘publishers’, who wish to sell advertising space to advertisers. These publishers are in direct contact with end users (e.g. website visitors), Criteo not. Criteo provides to the partner a Java Script, software that can be integrated by the partner into its website so that tracking cookies from Criteo can be placed on devices of end users (such as [claimant]). These cookies collect information that helps personalize advertisements so that the end user is shown to the end user that match their interests.
4.15.5.

The parties agree that Criteo and its partners are joint controllers within the meaning of Article 26 GDPR (‘joint controllers’).
4.16.6.

The preliminary relief judge is of the opinion that Criteo cannot hide behind its partners for obtaining consent. Criteo has contractually outsourced the obtaining of consent to its partners and that is allowed. This means that if the partner provides information about and consents to the placement of cookies, Criteo does not have to do so (cf. Court Amsterdam 15 March 2023, ECLI:NL:RBAMS:2023:1407, r.o. 14.15).
4.17.7.

It is clear from the Report that many Criteo partners have not fulfilled their obligations because cookies have been placed before [eclarant] has already been able to choose cookies. Even after refusing consent, Criteo continued to receive cookie data and browsing information from some sites (par. 4 report). Criteo, as controller within the meaning of the GDPR, must have a legal basis for the processing of the personal data it obtains through the cookies. In this case, this can only be the a-ground of Art. 6 GDPR: “the data subject has given consent to the processing of his personal data for one or more specific purposes”. Criteo must demonstrate that it has that consent (Art. 5 para. 2 GDPR) and according to the above, it cannot do so in a large number of cases. Criteo has not complied with its legal obligations and has acted unlawfully towards [Claimant]. Moreover, the Report shows that the unlawful acts are not limited to [claimant] and probably not to the 39 websites.
4.18.8.

Criteo’s rulings brought into the proceedings by German judges (civil judges at first and second instance, understood to the preliminary relief judge) there is no meaning in this preliminary summary proceedings. Criteo has only referred to the judgments in a general sense, did not provide translation and has not made it plausible that they are sufficiently similar cases and legal rules.

The squee-system is not enough
4:19,19.

Criteo also invokes that the negative CNIL ruling plus fine of € 40,000,000 concerns the old situation and that it now complies with the GDPR because it screens new partners in advance (KYC), imposes the GDPR obligations on the partners, carries out audits with its partners and does not require permission correctly in advance. Criteo, however, fails to mention that she only occurs when she receives a signal (e.g. [plaintiff]). Apart from the fact that Criteo has not demonstrated with documents that it has adequately acted against 39 websites - it has only submitted four warnings and two denunciations with regard to the 4 websites mentioned in the letter of 8 August 2023 - this defence does not avail her because reactive action is not sufficient. It must ensure that prior consent is obtained.
4.20. 20.

According to Criteo, she can do no more than she does; she has about 21,000 partners and conducting audits on all these partners is a very complex matter. In contrast, [claimant] states that it is “childishly simple” for Criteo to check its partners automatically, but that Criteo prefers to sit still for profit until someone complains. [eIST] has put a further analysis of Floor Terra of the Privacy Company of 28 September 2023 in order to support its position, which concludes:
4.21 . 4.21.

This argument of [claimant] sounds plausible and has not been motivated by Criteo. In any case, Criteo’s ‘beep system’, Criteo’s ‘beep system’, cannot, in any case, remove the wrongfulness of the acts against [plaint] to the reasons mentioned under 4.19.

Disable cookies and/or opt-out
4.22. 4.22 and 2.6

Criteo argues that it has given two possibilities with which he himself can prevent him from being followed with tracking cookies, but that he chooses these options (remove unwanted cookies by not using his browser settings and / or setting an "opt-out" for Criteo cookies).
4.23 and 4.23.

The preliminary relief judge agrees with [plaintiff] that this is the world upside down. Not [Claimant] must take action, but Criteo must ensure that prior consent from [plaintiff] is obtained for the placement of the cookies and the processing of his personal data. This defence is also rejected.

The interest weighing
4.24 of it.

Criteo has no intention of changing her current way of working. This means that Criteo’s wrongful action against [claimant] will not stop by itself. This is also confirmed by [the plaintiff] even after the letter from his lawyer of 8 August 2023, 39 cases of violation of the legal consent requirement. This is a - for preliminary judgment - flagrant violation of the law and [pbutur] alone has sufficient (emergency) interest that this stops. He cannot be required to tolerate this violation any longer pending the outcome of any substantive procedure. Criteo has informed on 2 October 2023 that it has removed the cookie ID from [plaintiff] from its systems, but [plaintiff] maintains the prohibition claimed (claim I) because he has no confidence that the unlawful act stops doing so. In this context, he would point out that on most of the 39 websites on 2 October 2023 (10 days after transmission to Criteo of the Report) were still subject to cookies. This argument is supported in the screenshots of October 2, 2023.
4.25 of 4.25.

Criteo has argued that [claimant] must be declared inadmissible in its claims against the BV because although the SA is the controller within the meaning of the GDPR, but the BV is not. That defence does not apply, because the BV must be considered as co-responsible now that it is the party with the Criteo-partners for services in the Benelux.
4.26. 4.26.

All this means that claim I will be granted.

II-V. Access and deletion personal data
4.27.4.

These are requests under Articles 15 and 17 of UAVG.

Just because of the connection with the assigned claim I, [Claimant] has a sufficient urgent interest in claims II-V.
4.28 of 4,68.

Criteo takes the view that with the letter of 2 October 2023, she has fully complied with the GDPR requests from [plaint]. [claimant] does not agree. The position of [the plaintiff] is followed, for the following reasons.

Progress II
4.29. 4.29.

The document of 3 October 2023, presented as production 32 by [the plaintiff], shows that the overview provided by Criteo is not complete. Not every website that exchanged the uid in question with Criteo is mentioned in that overview. Moreover, it is apparent from that document that data has been exchanged with numerous third parties. Thus there is grounds for the allocation of claim II.

Progress III of the
4.30.30.

In addition, the request for access of 8 August 2023 was requested to provide an overview of group companies and (other) third parties that have received the personal data. Criteo has only provided a list of categories of potential recipients (which are already in its privacy policy). On the basis of a judgment of the European Court of Justice 4, a controller is obliged to inform the data recipients when personal data have been or will be provided to the data subject the identity of those recipients (unless the exception of Article 12(5) GDPR occurs, but this has neither been the case here nor has it been established). Criteo has therefore not correctly complied with the request for access and it is not to be expected that it will do so voluntarily. [plaint] therefore has an interest in a commandment to still provide full access in any case consisting of a complete overview of the third parties with whom the data have been shared. [eplain] wants a complete overview because those third parties will not only have received the data from the request for access but also data that [eiser] has previously (in previous years) not. The recipients have therefore also acted in violation of the GDPR. [plaintiff] wishes to be clear about the extent of this and wishes to be given the opportunity to take action against these parties.

Progress IV
4.31.1.

Criteo has announced on October 2, 2023 that she is “deleted the communicated cookie ID from its system”. It is not clear whether this is actually the case and whether this is sufficient (see above, under 4.29) so that [plaintiff] also has an interest in assigning claim IV.

Progress V
4.32. 4.32.

Criteo has informed on 2 October 2023 that it is in the process of writing to the 39 websites in the Report, so that they can delete the personal data related to [Claimant] ’s cookie ID. However, [claimant] claims more, namely that (for the reasons mentioned in claim III) all third parties with whom data have been shared in recent years is informed about the deletion request. Partly in view of what was considered in case of claim III, [claimant] is entitled to and interest in awarding claim V.

Lock of the
4.33 of it.

The conclusion is that the claims will be granted.
4.34.4.

The advanced periodic penalty payments will be allocated as stated in the decision.
4.35.

Defendants, if the unsuccessful party are jointly and a major criminal conviction in the costs of the proceedings. The costs on the side of [Claimant] are estimated at:

- summons € 132,42

- court fees € 314,00

- salary lawyer € 1.619,00

Total € 2,065.42

The re-advanced costs and statutory interest are also granted.

5. 5. The decision

The preliminary relief judge
5.1. 5.1.

Criteo commands the unlawful act to cease (do) cease and cease (do) cease and ceased by no longer, whether or not via third-party websites, to place tracking cookies on the computer and/or devices of [the plaintiff] before [claimant] has validly given permission for placing these tracking cookies, under penalty of a penalty of € 250.00 per day or part of the day than - from the choice of a maximum of € 250.00 to the hour or the hour of the right to the right of a maximum of € 250.00 to the right of the day or the part of the day,
5.2. 5.2.

Criteo commands to provide access to the processed personal data of [claimant] within seven days after service of this judgment, under penalty of a period of penalty of € 250.00 per day or part of the day, up to a maximum of € 15,000.00,
5.3.

Criteo commands to provide information within seven days after service of this judgment, including specific information about third-party recipients in order to be able to identify and, where necessary, to provide the processing operations that have taken place with personal data of [evident], under penalty of a periodic penalty of € 250.00 per day or part of the day, up to a maximum of € 15,000.00, up to a maximum of € 15,000.00,
5.4. 5.4.

Criteo shall, within seven days after service of this judgment, to remove the unlawfully processed personal data of [plaintiff], under penalty of a periodic penalty of € 250.00 per day or part of the day, up to a maximum of € 15,000.00,
5.5. - 5.5. -

command Criteo within seven days of service of this judgment

- to inform all group entities and (other) third parties as included in the overview to be provided in accordance with 5.3, of the deletion request, so that those parties, to the extent necessary at the explicit request of Criteo, also proceed to the deletion of the personal data and any other related information obtained or otherwise processed by means of the aforementioned unlawful acts and to the contrary.

- to provide any of Criteo's requests to those parties,

This is a penalty of a penalty of € 250.00 per day or part of the day, up to a maximum of € 15,000.00,
5.6. 5.6.

condemns defendants to be raised jointly and (the only one’s costs] on the side of [plaintiff] to € 2,066.42, to increase the statutory interest on this amount from the fourteenth day after service of this judgment until the satisfaction of this judgment,
5.7. 5.7.

condemns the defendants to be raised by the costs incurred after this judgment, estimated at € 173.00 in salary lawyer, to be increased, under the condition that service of the judgment has taken place, with an amount of € 90.00 to salary lawyer and the exposure costs of service of the order, and to be increased by the statutory interest on the post-cost of fourteen days after the service of this judgment until the fulfilment of this judgment.
5.8. 5.8.

declare this judgment so far in stock,
5.9. 5.9.

Points it off more or otherwise advanced.

This judgment was given by Mr. E.A. - E.A. Messer, preliminary relief judge, assisted by mr. M.A.H.H. Verburgh, clerk, and publicly pronounced on 18 October 2023.5