The Belgian Data Protection Authority (in short: GBA) closed 2019 by issuing a fine for a website that did not comply with its privacy and cookie policy. The website in question was specialised in legal news, but apparently did not fully comply with the rules that apply to the use of cookies. It is the first time the GBA has issued such a fine, but undoubtedly not the last time.

Course

Already in March 2019, the targeted website was informed of the infringements found on the website by the GBA. The website was given the opportunity to make changes and made use of them.

However, when the GBA drew up its final report in May, it found that adjustments had actually been made, but that these were not sufficient to bring the entire website into line with the General Data Protection Regulation (in short: GDPR).

In the end, the GBA’s Disputes Chamber decided to impose an administrative fine of EUR 15,000 on the website.

Infringements

Specifically, the GBA found that the privacy policy and cookie policy were not easily accessible to the users of the website and that the privacy policy had been drawn up in English, while the website was aimed at a Dutch and French-speaking audience.

Furthermore, the privacy policy lacked certain information that was required by law. For example, the website did not contain the identity and contact details of the data controller. There was also no mention of the rights of the data subjects, the legal basis of the processing and the processing purposes.

The cookie policy also did not comply with current legislation. The website did not provide for a consent process before cookies were placed on the website user’s computer, under the guise of ‘legitimate interest’. However, the GBA decided that the cookies in question were not strictly necessary and that the GDPR was therefore violated.

In a later version, the concept of consent was provided for, but the boxes for this had already been ticked. This also goes against the provisions of the GDPR and cannot be regarded as valid consent. After all, it is not consent that is obtained as a result of an action by the user.

Conclusion

This decision of the GBA can be considered as a firm statement. After all, many websites today still do not comply with the obligations imposed on them by the GDPR. Many have waited to see how things were going, and thought there was a tolerance policy, but this decision now proves the opposite. Moreover, practice teaches us that there is a lot of dumb copying; however, no situation is exactly the same and a good cookie policy that holds up requires an individual approach that takes into account the concrete situation, the rules that apply to it, and the interpretation of the GBA.

For those who want to avoid fines, or have questions about their cookie/privacy policy, one address: hallo@dejuristen.be.

Written by Johanna Coppens, Legal adviser deJuristen and Kris Seyen, Partner deJuristen