EPRIVACY-ART-13
Unsolicited communications
Cookies
Online tracking technologies and consent requirements
cookie law cookiewet eprivacy cookies tracking
Overview
20 sources · Feb 21, 2026Legal Framework
Article 5(3) of the ePrivacy Directive (2002/58/EC) establishes the foundational requirement that storing information or accessing information already stored in a user's terminal equipment requires prior informed consent. This provision protects the integrity of terminal equipment and user privacy regardless of whether the information constitutes personal data. Article 1 defines the Directive's scope covering electronic communications networks and services, while Article 6 mandates confidentiality of traffic data and Article 13 addresses unsolicited communications. The consent requirement under Article 5(3) operates independently from GDPR processing grounds, creating a strict opt-in regime for cookies and similar tracking technologies that applies even where no personal data processing occurs. Member States have transposed these requirements into national law with varying penalty structures.
Key Developments
The Court of Justice in Planet49 established that Article 5(3) applies to any information stored in terminal equipment, irrespective of personal data classification, significantly broadening the provision's scope beyond GDPR alignment. The ruling mandates that service providers must inform users about cookie duration and third-party access rights before obtaining consent, setting specific transparency requirements for valid consent collection.
Enforcement practice confirms strict application across jurisdictions. The Spanish DPA's Ikea Ibérica decision imposed a €10,000 penalty for installing cookies without prior consent, rejecting implied consent mechanisms or soft opt-ins. The Norwegian DPA's Timegrip AS fine (€21,650) for employee working hours tracking demonstrates Article 5(3) extends to workplace contexts, requiring consent even for staff monitoring where legitimate interest might otherwise apply under GDPR. The EDPB's Guidelines 2/2023 provide detailed technical interpretation of Article 5(3)'s scope regarding storage methods, while recent Digital Omnibus proposals signal potential regulatory simplification that practitioners should monitor for compliance adjustments.
Practical Guidance
• Implement prior consent mechanisms that activate only after affirmative user action, following Ikea Ibérica and Planet49 standards—pre-checked boxes or continued browsing do not constitute valid consent under Article 5(3).
• Disclose specific cookie parameters including retention periods and third-party sharing rights in the first layer of information, as required by Planet49 paragraph 80, ensuring users understand the full scope of storage before consenting.
• Apply rules to non-personal data tracking technologies, recognizing that Article 5(3) covers any terminal equipment access regardless of GDPR applicability (Planet49 paragraph 70), including analytics, preference storage, and device fingerprinting.
• Address employment contexts by obtaining specific consent for workplace cookie deployment, acknowledging that employee tracking falls within Article 5(3) scope per Timegrip AS, separate from employment law considerations and GDPR legitimate interest assessments.
• Audit technical implementations against EDPB Guidelines 2/2023 to ensure all storage and access methods, including local storage, session storage, and similar technologies, meet the Directive's technical scope requirements and consent standards.
Laws (7)
Case Law (19)
ECLI:NL:GHAMS:2025:2666 Gerechtshof Amsterdam , 07-10-2025 / 200.339.869/01, 200.339.845/01 en 200.339.905/01
Gerechtshof Amsterdam
Art. 3:305a BW. Tussenbeslissing WAMCA-procedure in hoger beroep. TikTok. Internationale bevoegdheid ten aanzien van AVG en niet-AVG vorderingen? Aanhouding AVG-vorderingen i.v.m. prejudiciële vragen (rechtbank Rotterdam 23 juli 2025, ECLI:NL:RBROT:2025:9088). Stichtingen ontvankelijk ten aanzien van niet-AVG vorderingen? Immateriële schadevorderingen bundelbaar? Bepaling nauw omschreven groep en precieze omschrijving van de vorderingen.
Microsoft Ireland Operations Limited en Xandr moeten stoppen met het plaatsen en uitlezen van cookies zonder voorafgaande toestemming
Rechtbank
kort geding. 2 grote internetondernemingen wordt geboden het plaatsen en/of uitlezen van tracking cookies zonder dat eisers daarvoor toestemming hebben verleend te staken en gestaakt te houden. AVG. art 11.7a Telecommunicatiewet.
Wie zít hier toch achter…?
Rechtbank
Wie zít hier toch achter…? De cookiezaak tegen LinkedIn, Microsoft en Xandr van afgelopen jaar heeft een vervolg gekregen. Ter herinnering: Rb. Amsterdam 7 juni 2024, ECLI:NL:RBAMS:2024:3331 (Plaatsing tracking cookies zonder toestemming Linkedin Ierland, Microsoft VS, Microsoft Ireland Operation...
WAMCA
Rechtbank
Collectieve actie (WAMCA). Twee stichtingen voeren elk een collectieve actie tegen Google over de wijze waarop Google persoonsgegevens van gebruikers verzamelt en verwerkt. De rechtbank oordeelt in dit tussenvonnis dat beide stichtingen ontvankelijk zijn in de zin van de WAMCA.
Österreichische Datenschutzbehörde v CRIF
C-487/21 (Österreichische Datenschutzbehörde)
Right of access includes obtaining a copy in commonly used electronic form.
UI v Österreichische Post AG
C-300/21 (Österreichische Post)
Right to compensation under GDPR Article 82 requires proof of actual damage.
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Bundesverband der Verbraucherzentralen v Planet49 GmbH
C-673/17 (Planet49)
Pre-ticked checkboxes do not constitute valid consent. Consent must be active.
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
Cookie data is personal data where the cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery contained a number assigned to the registration data of that user (who must enter his/her name+address in the registration form.) By linking that number with that data, a connection between a person and the data stored by the cookies arises. Therefore, the data is not anonymous data. (¶45)
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
The information that service provider must give to a website user includes “the duration of the operation of cookies and whether or not third parties may have access to those cookies.” (¶80)
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
The restrictions of Article 5(3) of the ePrivacy Directive apply to any information stored in a terminal equipment, regardless of whether or not it is persona. (¶70)
Google LLC v CNIL
C-507/17 (Google Territorial Scope)
Right to delisting does not require global de-referencing under EU law.
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
ePrivacy Directive: The ECJ did not determine whether the Facebook “Like” button involves such storing or access subject to the ePrivacy Directive, but left it to the national court to make this assessment and determine whether such consent would be required under the e-Privacy rules. The ECJ did not state whether such consent should be obtained by the website operator, by the third-party plugin, or by both.
Unabhängiges Landeszentrum für Datenschutz v Wirtschaftsakademie Schleswig-Holstein
C-210/16 (Wirtschaftsakademie)
Facebook fan page administrators are joint controllers with Facebook.
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo
Peter Nowak v Data Protection Commissioner
C-434/16 (Nowak)
Examination scripts constitute personal data of the candidate.
Patrick Breyer v Bundesrepublik Deutschland
C-582/14 (Breyer)
Dynamic IP addresses can be personal data when holder can identify the person.
RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
Rynes
Personal data: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned. (¶ 22)
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
e-Privacy Directive (Directive 2002/58): The communication of name and address of a person using an IP address from which files were shared (for copyrighted audio books) falls within the scope of Directive 2002/58 (and within the scope of Directive 2004/48, dealing with copyright). (¶¶ 52-54)
Guidance (27)
View all 27Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Richtsnoeren 2/2023 over het technische topassingsgebied van artikel 5, lid 3, van de eprivacyrichtlijn
guidelines technische toepassingsgebied van artikel 5(3) e-privacyrichtlijn
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen
guidelines connected vehicles
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 02/2021 inzake virtuele spraakassistenten
guidelines over virtuele spraakassistenten
Een virtuele spraakassistent ( virtual voice assistant , of VVA) betreft een dienst die spraakgestuurde opdrachten begrijpt en uitvoert, of indien nodig als tussenschakel optreedt naar andere IT-systemen. Tegenwoordig is een VVA als optie beschikbaar op de meeste smartphones, tablets en reguliere computers en sinds enkele jaren zelfs op losse apparaten zoals smartspeakers. Een VVA functioneert als schakel tussen de gebruiker en zijn apparaat of een online dienst zoals een zoekmachine...
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Richtsnoeren 8/2020 betreffende de targeting van gebruikers van sociale media
guidelines targeting gebruikers sociale media
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
Enforcement (43)
View all 43Timegrip AS: Insufficient fulfilment of data subjects rights
€21,650 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has imposed a fine of EUR 21,650 on Timegrip AS. The controller had been tracking the working hours of employees at a company that went bankrupt. A former employee requested that the controller send the working hours to the data subject so that they could claim their unpaid wages from the bankruptcy estate. Furthermore, the bankruptcy estate itself requested the data, but the controller refused to send it to them.
Ikea Ibérica: Insufficient legal basis for data processing
€10,000 fine - Spanish Data Protection Authority (aepd)
The company installed cookies on an end users terminal device without prior consent of the data subject.
Ikea Ibérica: Onvoldoende juridische basis voor de verwerking van persoonsgegevens.
Boete van €10.000 - Spaanse Autoriteit voor Gegevensbescherming (AEPD).
Het bedrijf heeft cookies geplaatst op het apparaat van de eindgebruiker zonder voorafgaande toestemming van de betrokkene.
Pioneer Hi-Bred Italia Sementi s.r.l.: Insufficient legal basis for data processing
€120,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 120,000 on Pioneer Hi-Bred Italia Sementi s.r.l. The controller installed satellite telematics tracking devices to monitor driving behaviour and provide drivers with scores.
AMERICAN EXPRESS CARTE FRANCE: Onvoldoende juridische basis voor de verwerking van gegevens.
1.500.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).
De Franse autoriteit voor gegevensbescherming heeft AMERICAN EXPRESS CARTE FRANCE een boete van 1.500.000 euro opgelegd. De verantwoordelijke partij gebruikte een buitensporig aantal cookies op haar website en heeft de betrokkenen niet voldoende geïnformeerd over deze cookies.
AMERICAN EXPRESS CARTE FRANCE: Insufficient legal basis for data processing
€1,500,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 1,500,000 on AMERICAN EXPRESS CARTE FRANCE. The controller used excessive cookies on its website and failed to adequately inform data subjects about them.
LES PUBLICATIONS CONDE NAST: Non-compliance with general data processing principles
€750,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 750,000 on LES PUBLICATIONS CONDE NAST. The controller used multiple cookies on its website but failed to adequately implement them.
LES PUBLICATIES CONDE NAST: Niet-naleving van algemene principes voor gegevensverwerking.
Een boete van 750.000 euro - van de Franse Autoriteit voor Gegevensbescherming (CNIL).
De Franse gegevensbeschermingsautoriteit heeft LES PUBLICATIONS CONDE NAST een boete van 750.000 euro opgelegd. De verantwoordelijke partij gebruikte meerdere cookies op haar website, maar heeft deze niet op een adequate manier geïmplementeerd.
INFINITE STYLES SERVICES CO. LIMITED: Insufficient legal basis for data processing
€150,000,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 150,000,000 on INFINITE STYLES SERVICES CO. LIMITED, which operates under the name 'SHEIN'. The controller used cookies unlawfully on its website. Firstly, the controller failed to obtain the data subject's consent before placing cookies. Second, the controller used incomplete cookie banners. Third, the controller failed to provide adequate second-level information. Finally, the controller's mechanisms for refusing or withdrawing consent were inadequate.
INFINITE STYLES SERVICES CO. LIMITED: Onvoldoende juridische basis voor de verwerking van persoonsgegevens.
150 miljoen euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).
De Franse gegevensbeschermingsautoriteit heeft INFINITE STYLES SERVICES CO. LIMITED, dat opereert onder de naam 'SHEIN', een boete van 150.000.000 euro opgelegd. De verantwoordelijke partij heeft op haar website op onrechtmatige wijze cookies gebruikt. Ten eerste heeft de verantwoordelijke partij de toestemming van de betrokkene niet verkregen voordat cookies werden geplaatst. Ten tweede heeft de verantwoordelijke partij onvolledige cookiebanners gebruikt. Ten derde heeft de verantwoordelijke partij onvoldoende informatie op een tweede niveau verstrekt. Ten slotte waren de mechanismen van de verantwoordelijke partij om toestemming te weigeren of in te trekken ontoereikend.
GOOGLE IRELAND LIMITED: Onvoldoende juridische basis voor de verwerking van gegevens.
125.000.000 euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).
De Franse autoriteit voor gegevensbescherming heeft GOOGLE IRELAND LIMITED een boete van 125.000.000 euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties getoond konden worden in gebieden waar betrokkene normaal gesproken...
GOOGLE LLC: Onvoldoende juridische basis voor de verwerking van gegevens.
200 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).
De Franse gegevensbeschermingsautoriteit heeft GOOGLE LLC een boete van 200 miljoen euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor het verkrijgen van toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties konden worden weergegeven in gebieden waar betrokkene normaal gesproken berichten ontving.
Gemeente Kristiansand: Onvoldoende juridische basis voor gegevensverwerking.
22.000 euro boete - Noorse Toezichtsautoriteit (Datatilsynet).
De Noorse Autoriteit Persoonsgegevens heeft de gemeente Kristiansand een boete van 22.000 euro opgelegd. De instantie biedt een hulplijn voor kinderen die slachtoffer zijn geworden van geweld, misbruik of verwaarlozing. De website van de hulplijn maakt gebruik van trackingpixels, waardoor de aanbieders van die pixels toegang krijgen tot persoonlijke gegevens van de betrokkenen zonder voldoende wettelijke basis.
Kristiansand municipality: Insufficient legal basis for data processing
€22,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA imposed a fine of EUR 22,000 on Kristiansand municipality. The controller offers a helpline for childreen, which had become victims of violence, abuse or neglect. The webiste of the helpline uses tracking pixels resulting in the providers of those pixels gaining acces to personal data of the data subjects without sufficient legal basis.
Coolblue B.V: Insufficient legal basis for data processing
€40,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of €40,000 on Coolblue. The company collected personal data via cookies without users' explicit consent, relying on pre-ticked consent boxes.
Hotel: €45,000 fine
€45,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed a fine of EUR 45,000 on two hotels for unlawfully processing personal data through the use of cookies.
Apohem AB: Insufficient technical and organisational measures to ensure information security
€698,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 698,000 on Apohem AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers who had consented to marketing cookies to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organi
A.S. Watson Health & Beauty Continental Europe B.V.: Insufficient legal basis for data processing
€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive perso
Betting company: Insufficient legal basis for data processing
€15,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such
Betting company: Insufficient legal basis for data processing
€20,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such
News (75)
View all 75Garante per la protezione dei dati personali (Italy) - 10213894
Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10213894 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10213894 |Original_Source_Language_1=I..." New p
Commission to stop tracking data centre usage in simplification push
The move to simplify data centre efficiency reporting comes despite estimates suggesting that 75% to 85% of servers sit idle at any one time
TI - 9/2026
|Appeal_From_Case_Number_Name=16.07.2025|Appeal_From_Case_Number_Name=16.07.2025 |Appeal_From_Status=|Appeal_From_Status= |Appeal_From_Link=https://www.dataprotection.ro/?page=Comunicat_Presa_16.07.2025|Appeal_From_Link=https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_a_Romanian_politician |Appeal_To_Body=|Appeal_To_Body= |Appeal_To_Case_Number_Name=|Appeal_To_Case_Number_Name= A politician, the operator of a website (the controller), appealed a DPA decision sanctioning him fo
Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns
Brussels, 11 February - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations. The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they asses
Reopening GDPR and ePrivacy through the Digital Omnibus: a risky path for EU digital rights
EDRi has assessed the Digital Omnibus proposals affecting the General Data Protection Regulation (GDPR) and the ePrivacy framework. While presented as simplification, the changes amount to deregulation in effect, weakening fundamental rights safeguards, increasing legal uncertainty, and advancing through a process that falls short of democratic lawmaking standards. The post Reopening GDPR and ePrivacy through the Digital Omnibus: a risky path for EU digital rights appeared first on European Digi
Sanctions et mesures correctrices : la CNIL présente le bilan 2025
Cookies, surveillance des salariés et sécurité des données, sont les principaux sujets des sanctions prononcées par la CNIL en 2025, dont le montant cumulé des amendes représente un montant total de 486 839 500 euros.
noyb win: Microsoft ordered to stop tracking school children
The DSB decided that Microsoft unlawfully placed tracking cookies on the devices of a pupil
Digital Omnibus Report V2: Analysis of Select GDPR and ePrivacy Proposals by the Commission
Version 2 of our report includes specific recommendations for the EU legislator on each of the most important articles, including on whether to reject or maintain proposed changes
De prijs van gratis internet. Richtingen voor toekomstig online-trackingbeleid
Other
Rathenau Instituut, De prijs van gratis internet. Richtingen voor toekomstig online-trackingbeleid (2025), met Kamerbrief met reactie daarop.
The price of free internet: Directions for future online tracking policies.
Other.
Rathenau Institute, "The Price of Free Internet: Directions for Future Online Tracking Policy (2025)," including a letter from the Parliament responding to the report.
Autoriteit voor de bescherming van persoonlijke gegevens (Italië) - 10201989
Maakt een nieuwe pagina aan met de volgende inhoud: "{{DPAdecisionBOX |Jurisdiction=Italië |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italië) |Case_Number_Name=10201989 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10201989 |Original_Source_Language_1=Italiaans |Original_Source_Language__Code_1=..." Toon
Frankfurt am Main Regional Court - Case Number 6 U 81/23.
The court awarded €100 in non-pecuniary damages for the storage and processing of cookies without the consent of the individual. While the violation was considered minor, and the individual did not suffer a loss of control over their data, the court ruled that the feeling of being monitored constituted a form of non-pecuniary damage. The court awarded €100 in non-pecuniary damages for the storage and processing of cookies without the consent of the individual. Although the violation was considered minor, and...
OLG Frankfurt am Main - 6 U 81/23
}}}} The Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and the data subject suffered no loss of control over his data, the court held that the feeling of being monitored constituted non-material damage.A Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and
OLG Frankfurt am Main - 6 U 81/23
|Court_Original_Name=Oberlandesgericht Frankfurt am Main|Court_Original_Name=Oberlandesgericht Frankfurt am Main |Court_English_Name=Higher Regional Court Frankfurt am Main|Court_English_Name=Higher Regional Court Frankfurt am Main |Court_With_Country=OLG Frankfurt am Main (Germany)|Court_With_Country=OLG Frankfurt (Germany) |Case_Number_Name=6 U 81/23|Case_Number_Name=6 U 81/23 |Party_Link_2=|Party_Link_2= |Appeal_From_Body=LG Frankfurt am Main (Germany)|Appeal_From_Body=LG Frankfurt (Germany)
Garante per la protezione dei dati personali (Italy) - 10201989
Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10201989 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10201989 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=..." Show
Hof van Justitie Frankfurt am Main - 6 U 81/23
}}}} Het gerecht heeft €100 aan immateriële schade toegekend voor het opslaan en verwerken van cookies zonder de toestemming van de betrokkene. Hoewel de overtreding als gering werd beschouwd en de betrokkene geen verlies van controle over zijn gegevens heeft geleden, oordeelde het gerecht dat het gevoel van bewaakt worden een vorm van immateriële schade vormde. Het gerecht heeft €100 aan immateriële schade toegekend voor het opslaan en verwerken van cookies zonder de toestemming van de betrokkene. Hoewel de overtreding als gering werd beschouwd, en
Hof van Beroep van Frankfurt am Main - 6 U 81/23
|Hof_Oorspronkelijke_Naam=Oberlandesgericht Frankfurt am Main|Hof_Oorspronkelijke_Naam=Oberlandesgericht Frankfurt am Main |Hof_Engelse_Naam=Higher Regional Court Frankfurt am Main|Hof_Engelse_Naam=Higher Regional Court Frankfurt am Main |Hof_Met_Land=OLG Frankfurt am Main (Duitsland)|Hof_Met_Land=OLG Frankfurt (Duitsland) |Zaaknummer_Naam=6 U 81/23|Zaaknummer_Naam=6 U 81/23 |Partij_Link_2=|Partij_Link_2= |Beroep_Van_Instantie=LG Frankfurt am Main (Duitsland)|Beroep_Van_Instantie=LG Frankfurt (Duitsland)
Authority for the protection of personal data (Italy) - 10201989
Creates a new page with the following content: "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10201989 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10201989 |Original_Source_Language_1=Italian |Original_Source_Language__Code_1=..." Show.
Frankfurt am Main Court of Appeal - Case No. 6 U 81/23.
| Court_Original_Name = Higher Regional Court Frankfurt am Main | Court_Original_Name = Higher Regional Court Frankfurt am Main | Court_English_Name = Higher Regional Court Frankfurt am Main | Court_English_Name = Higher Regional Court Frankfurt am Main | Court_Country = OLG Frankfurt am Main (Germany) | Court_Country = OLG Frankfurt (Germany) | Case_Number = 6 U 81/23 | Case_Number = 6 U 81/23 | Party_Link_2 = | Party_Link_2 = | Appeal_From_Court = Regional Court Frankfurt am Main (Germany) | Appeal_From_Court = Regional Court Frankfurt (Germany)
DSB (Austria) - 2025-0.276.820
Ruling === Ruling ====== Ruling === The Data Protection Authority (AP) has ruled that the responsible party violated Article 58(2)(d) of the GDPR. This article grants supervisory authorities the power to issue binding instructions to controllers to ensure compliance with the GDPR. The violation occurred because the responsible party failed to implement a binding instruction, namely to modify the cookie banner on the website so that users can easily reject cookies as well as accept them. The AP has ruled that the responsible party violated Article [[A...