On 17 December 2019, the Belgian Data Protection Authority (DPA) imposed an administrative fine of 15,000 EUR on a company that manages a website with legal news and information. The website has about 35,000 monthly visitors including many lawyers, law students, and paralegals. It is the first decision that has been published by the DPA regarding an online platform.
The investigation was initiated by the DPA’s inspection service, which concluded that several breaches were made by the company under the provisions of the General Data Protection Regulation (GDPR) and the provisions of the ePrivacy regulation.
The main findings of the DPA’s inspection service related to the following items:
Cookies are small pieces of data that are sent from a website and stored on a visitor’s computer through his web browser. These pieces of data are used to keep track of the visitor’s online activity and to store information about the user’s website interaction.
The information to be provided to the visitors of the website, i.e. where personal data is collected directly from the data subject, was found to be incomplete. Among other things, the data controller’s identity and contact information, as well as the data subjects’ rights and the retention period for personal data collected by the cookies, were not specified.
The DPA has stated that the company’s website fulfills a role function with respect to GDPR compliance, given that its main objective is providing legal news and information. With its 15,000 EUR fine, the DPA has taken a clear position that all website providers have to respect the applicable privacy (and cookie) legislation.