EDPB requires Belgian DPA to handle the merits of NOYB cookie banner complaint
EDPB orders Belgian DPA to rule on Noyb's cookie banner complaint merits.
Summary
The European Data Protection Board (EDPB) has ruled that the Belgian Data Protection Authority (DPA) must investigate the substance of a complaint filed by the NGO Noyb regarding VRT's cookie banners. The Belgian DPA had initially proposed dismissing the complaint on procedural grounds, but the Austrian DPA objected, arguing for a decision on the merits. The EDPB agreed with the Austrian DPA, finding no abuse of rights by the complainant and instructing the Belgian DPA to proceed with a full assessment.
Full text
EDPB requires Belgian DPA to handle the merits of NOYB cookie banner complaint EDPB News 14 July 2026 be Brussels, 14 July–The EDPB has published its binding decision of 28 May 2026 under Art.65(1)(a) GDPR*. The decision concerns a dispute submitted by the Belgian Data Protection Authority (DPA) about a complaint against Vlaamse Radio-en Televisieomroeporganisatie (VRT) – a public broadcasting company based in Belgium.The complaint was lodged with the Austrian DPA by the Austrian-based NGO Noyb on behalf of an individual. It concerns the use of cookie banners on the website of VRT.The Belgian DPA, acting as Lead Supervisory Authority (LSA), submitted a draft decision proposing to dismiss the complaint on the basis of an alleged abuse of Art.77 GDPR and Art. 80(1) GDPR. The Austrian DPA, Concerned Supervisory Authority (CSA), objected, arguing that the LSA should not have dismissed the complaint on procedural grounds and should have instead issued a decision on the merits.The Belgian DPA decided not to follow the objection and submitted the case to the EDPB. Outcome of the EDPB decisionThe EDPB considered the Austrian DPA’s objection relevant and reasoned within the meaning of Art.4(24) GDPR and the EDPB Guidelines on the concept of relevant and reasoned objection and assessed it on the merits. The EDPB found that, based on the information available and in line with the CJEU’s test for alleged abuse, the complainant did not abuse their rights under Art.77 and Art.80(1) GDPR. This is because the objective and subjective components needed to prove such abuse were not demonstrated. Therefore, the EDPB instructed the LSA not to dismiss the complaint, but to assess it instead on its merits and to submit a new draft decision to the CSAs under Art.60(3) GDPR.Note to editors:*Art.65(1)(a) GDPR is a dispute resolution mechanism meant to ensure the correct and consistent application of the GDPR in cross-border cases, addressing disagreements that have arisen between the LSA and the CSAs in a given case. Relevant topics GDPR enforcement Cooperation between authorities Latest news EDPB News EDPB sheds light on anonymisation and web scraping for generative AI and adopts final version of guidelines on blockchain08 July 2026 EDPB News EDPB and AMLA to develop Joint Guidelines on partnerships for information sharing01 July 2026 EDPB News One-Stop-Shop case digest on right to object and right to erasure updated25 June 2026All news