Back to Feed
GDPRJul 16, 2026

APD/GBA (Belgium) - 85/2022

Belgian DPA fined Roularta Media Group €50,000 for cookie violations and consent breaches.

Summary

The Belgian Data Protection Authority (APD/GBA) fined Roularta Media Group €50,000 for placing cookies without prior user consent and violating GDPR accountability and storage limitation principles. The investigation revealed multiple violations including unnecessary cookies, statistical cookies without consent, pre-ticked consent boxes, and inadequate privacy policies. The DPA confirmed that statistical cookies processing user IP addresses require explicit consent under GDPR and the ePrivacy Directive.

Full text

Help APD/GBA (Belgium) - 85/2022: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:55, 18 June 2022 view source2a02:1811:370a:7000:d49c:c97:de93:be7b (talk) Tag: Visual edit← Older edit Latest revision as of 14:48, 16 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators189 editsTag: Visual edit Line 51: Line 51: |GDPR_Article_Link_11=|GDPR_Article_Link_11= |EU_Law_Name_1=Article 5(3)(e) ePrivacy Directive|EU_Law_Name_1=Article 5(3)(e) ePrivacy Directive 2002/58/EC |EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%253A32002L0058|EU_Law_Link_1=https://eur-lex.europa.eu/eli/dir/2002/58/oj |EU_Law_Name_2=|EU_Law_Name_2= |EU_Law_Link_2=|EU_Law_Link_2= Latest revision as of 14:48, 16 July 2026 APD/GBA - 85/2022 Authority: APD/GBA (Belgium) Jurisdiction: Belgium Relevant Law: Article 4(11) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 24 GDPR Article 5(3)(e) ePrivacy Directive 2002/58/EC Type: Investigation Outcome: Violation Found Started: 16.01.2019 Decided: 25.05.2022 Published: 25.05.2022 Fine: 50.000 EUR Parties: Roularta Media Group National Case Number/Name: 85/2022 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Dutch Original Source: Beslissing ten gronde 85/2022 van 25 mei 2022 (in NL) Initial Contributor: Enzo Marquet The Belgian DPA fined a large media company €50,000 for not obtaining prior consent to place cookies and for violating the principles of accountability and storage limitation. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comments 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the use of cookies on Belgian media websites. The controller in this case is Roularta Media Group. The investigation revealed the following potential violations. First, the placement of unnecessary cookies prior to consent of the data subject. Second, the placement of statistical cookies without consent. Third, pre-ticked boxes to grant consent for cookies from partners. Fourth, the placement of a disclaimer for third-party cookies. Fifth, false and inadequate information in their privacy policy. Sixth, unjustified retention periods for the storage of cookies. Lastly, revoking consent was impossible. In fact, this placed more cookies. The controller argued that statistical cookies are used for aggregated basic statistics, necessary for the business model of the website. No personal data is being processed for this activity, as such, the GDPR does not apply. The controller argued that regarding the statistical cookies, the personal data was anonymised. The controller further argued that the Belgian DPA did not provide adequate guidelines for companies to comply with the GDPR. The controller refers to e.g. the French and Dutch DPA, who have provided this. Holding Regarding the placement of cookies, the DPA first noted that cookies can only be placed without prior consent when they are (1) strictly necessary for the transmission of communication or (2) to provide a service that is explicitly requested by the user. The DPA held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC, as some of the cookies placed without prior consent were found to be not strictly necessary. The controller even admitted to the placement of unnecessary cookies without obtaining prior consent. Regarding the placement of statistical cookies in particular, the DPA noted - with reference to her decision in 12/2019 - that these also require prior consent. The DPA observed that the placement and reading of these cookies on the terminal equipment of users revealed their IP-addresses to the controller. The DPA disregarded the defence of the controller that the IP-addresses were anonymised, and found that they were instead pseudonimised. This makes the data subjects indirectly identifiable and thus the GDPR applicable. The DPA therefore held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC by not obtaining prior consent. Regarding the pre-ticked boxes for the cookies from partner companies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11) (and with reference to Planet49). The DPA thus found another violation of Article 6(1)(a). The DPA held that regarding the disclaimer placed on their website for third-party cookies, the controller violated the principle of accountability laid down in Article 5(2). The DPA stated that controllers are responsible for compliance with the GDPR and the demonstration thereof (Article 24). The DPA found that the privacy policy of the controller contained false, incomplete and insufficient information. The DPA therefore held that the controller violated Article 12(1), as it did not communicate the information referred to in of Article 13 and Article 14 in a "concise, transparent, intelligible and easily accessible form". The DPA furthermore held that the controller violated the principle of storage limitation laid down in Article 5(1)(e) by not proactively defining the criteria for the storage of cookies. Lastly, the DPA found that the controller violated Article 7(3), as withdrawing consent was made impossible by the controllers cookie-management tool. The DPA noted that withdrawing consent must be as easy as providing consent for users. The DPA found that the alleged absence of concrete guidelines is not a valid argument against a violation of data protection legislation. The DPA held that it is the responsibility of the controller to comply with the law and further noted that numerous guidelines for companies to ensure compliance with the GDPR already exist. The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months. Comments While addressing the installation of statistical cookies, both the DPA and the controller seem to focus on the (non-)personal data conveyed by the tracker. It is important to note that this is only of importance for the applicability of the GDPR. The ePrivacy Directive refers to the storage of 'information,' which is a broader concept. This is also stated in Planet49. Further Resources https://www.lesoir.be/448977/article/2022-06-17/lapd-t-elle-enterine-la-regionalisation-de-la-vie-privee English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. 1/58 Dispute room Decision on the merits85/2022 of 25 May 2022 File number : DOS-2020-03432 Subject: Use of cookies on Knacken LeVif's media websites (RoulartaMediaGroup) The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Christophe Boeraeve and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; In view of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, hereinafter WVP; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision r

Entities

Roularta Media Group (vendor)Belgian DPA (APD/GBA) (vendor)