Cookie fine imposed by Belgian DPA
On 17 December 2019, the Belgian Data Protection Authority (DPA) imposed an administrative fine of 15.000 EUR on a company that manages a website with legal news and information. The website has about 35.000 monthly visitors including many lawyers, law students and paralegals. It is the first decision that is published by the DPA regarding an online platform.
The investigation was initiated by the DPA’s inspection service which concluded that several breaches were made by the company on the provisions of the General Data Protection Regulation (GDPR) and the provisions of the ePrivacy regulation.
The main findings of the DPA’s inspection service related to the following items:
- Cookie requirements
Cookies are small pieces of data that are sent from a website and stored on a visitor’s computer through his web browser. These pieces of data are used to keep track of the visitor’s online activity and to store information about the user’s website interaction.
- Information requirement
The information to be provided to the visitors of the website, i.e. where personal data is collected directly from the data subject, was found to be incomplete. Among other things, the data controller’s identity and contact information as well as the data subjects’ rights and the retention period for personal data collected by the cookies were not specified.
The DPA has stated that the company’s website fulfills a role function with respect to GDPR compliance, given its main objective is providing legal news and information. With its 15.000 EUR fine, the DPA has taken a clear position that all website providers have to respect the applicable privacy (and cookie) legislation.
 DPA Decision 17 December 2019 n° 12/2019, www.gegevensbeschermingsautoriteit.be. Please note that the website provider can still appeal the DPA’s decision.
 CJEU 1 October 2019 n° C-673/17, Planet 49, www.curia.europa.eu.