SA Rossel & Cie media company fined for unlawful use of cookies Summary The decision of the Belgian DPA SA Rossel & Cie (‘Groupe Rossel’), a Belgian press site, The Belgian DPA imposed a fine of 50,000 EUR on was among the subjects of a broad investigation Groupe Rossel for the following violations: carried out by the Belgian Data Protection Authority (DPA) regarding the placement of cookies on the most • Placing non-essential cookies before obtaining user widely accessed Belgian online news media sites. The consent, including cookies placed by third-party case was examined together with the case regarding domains (GDPR, Article 6(1)(a) and Article 129 of the Roularta Media Group, which is described below. The Belgian Electronic Communications Act). DPA examined several websites administered by • Obtaining consent through the ”further browsing” Groupe Rossel to assess how non-essential cookies technique, which links the expression of consent were managed and whether visitors’ consent was for cookies with the choice to continue using the obtained in accordance with the GDPR. website (GDPR, Articles 4(11), 6(1)(a), and 7(1)). The DPA’s investigation found that Groupe Rossel had • Depositing non-essential cookies, namely social used non-essential cookies without obtaining valid media and audience measurement cookies, before consent from visitors, including cookies on third-party obtaining user consent (GDPR, Article 6(1)(a)). domains. Additionally, Groupe Rossel obtained user • Presenting the selection screen for partners to consent using the ‘further browsing’ mechanism, which whom personal data was sent in ”allow” mode by linked users’ expressions of cookie consent to their default for the approximately 500 listed partners decision to continue browsing the website. According (GDPR, Articles 4(11), 6(1)(a) and 7(1)). to the DPA, this method of obtaining consent does not meet the requirements for specification and distinction • Only mentioning 13 external partners in the outlined in GDPR, Article 4(11). cookie policy, whereas the partner selection The DPA found that Groupe Rossel had continued screen accessible via the volatile cookie banner to place cookies on users’ devices after they had referenced around 500 partners of this type (GDPR, withdrawn their consent. The placement of cookies in Articles 4(11), 12(1), 13 and 14). such a situation is unlawful due to the lack of (consent • Failing to provide sufficient accessible and/or as a) legal basis. language-appropriate mandatory information to data subjects (GDPR, Articles 12(1), 13, and 14). The DPA also found that the cookie policies of Groupe Rossel’s websites were incomplete and not easily • Allowing the placement of new cookies after the accessible to users. Additionally, these policies failed withdrawal of user consent without justification to provide mandatory information, such as the names deemed relevant by the DPA (GDPR, Article 7(3)). of all third-party partners. As a result, Groupe Rossel Appeal to the Belgian Market Court breached GDPR, specifically Articles 12(1), 13, and 14, which requires organizations to provide data subjects According to Belgian law, when the Belgian DPA initiates with complete and accessible information about the a case on its own, it must be based on a referral. The processing of their personal data. referral must be made by the management board of the DPA and provide ”serious indications” of a potential The decision was later appealed. violation of the fundamental principles of personal data protection. Published: 22-02-2023 Journal number: 2022/AR/953 Tags: 01 Legal basis and principles of processing 79