Tag: Belgian DPA

Belgian DPA releases Guidance and FAQs on Cookies and Trackers

23. April 2020

On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.

The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.

The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.

Specifically, these cookie policies need to include and inform about:

  • identification of the cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis relied upon for the use of cookies;
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
  • information about any automated decision making, including profiling.

In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.

The consent especially needs to be:

  • obtained for the use of all non-essential cookies, as well as all social media plugins;
  • informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes,  the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
  • granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
  • unambiguous and provided through a clear affirmative action.

Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.

The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.

Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.

Belgian DPA releases Direct Marketing Recommendation

4. March 2020

On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.

In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.

In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:

  • The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
  • It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
  • The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
  • Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.

The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.

Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.

Belgian DPA against Facebook for tracking of non-users

30. June 2016

The Belgian DPA sued Facebook about a year ago for tracking the online activities of non-users who visit the Facebook´s sites in Belgium without their consent.

In the first instance, the Court ruled that Facebook should stop tracking non-users without their consent or to face a fine of 250,000 euros per day. Facebook appealed this sentence to the Brussels Court of Appeal. The Court of Appeal has now stated that the Belgian DPA has no jurisdiction over Facebook Inc. The Belgian DPA will appeal to the Court of Cassation, which cannot deliver new sentences but throw out previous judgements.

In the meanwhile, Facebook has confirmed that it will not track non-users without their consent when they visit Facebook sites or click the “like” button.

Moreover, Facebook stated that only the Irish DPA has jurisdiction regarding data protection issues that involve Facebook´s use of EU citizens’ personal data, as this is where the European Headquarters are located.

After the decision of the Court of Appeal, the Belgian DPA said that the decision “simply and purely means that the Belgian citizen cannot obtain the protection of his private life through the courts and tribunals when it concerns foreign actors”.