The Danish data protection authority ('Datatilsynet') announced, on 20 February 2023, its decision in which it found Jysk Fynske Medier P/S's use of cookie walls in violation of Article 6(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and ordered the company to demonstrate that its processing of personal data was for statistical purposes under Article 6(1)(a) of the GDPR, making reference to Articles 4(11), 5(1)(a), and 5(2) of the same, following a complaint.

Background to the decision

In particular, the Datatilsynet stated that the company's website allowed website visitors to gain access to parts of the website's content by giving consent to the processing of personal data, or to all the content on the website by subscribing to its services.

Findings of the Datatilsynet

Notably, the Datatilsynet stated that, generally, a mechanism, whereby website visitors can access the content of a website or a service in exchange for either giving consent to the processing of personal data, or for payment, is compliant with the requirements for valid consent pursuant to data protection rules. However, the Datatilsynet found that the company's specific approach in allowing partial access to content once visitors' consent is obtained, while allowing access to all content when visitors subscribe, did not meet the requirements for valid consent under the GDPR. In this regard, the Datatilsynet explained that this is because the service offered against consent was not to a large extent equivalent to that which was offered against subscription and payment, which meant that visitors were not really presented with a free choice.

Additionally, the Datatilsynet found that the company had not demonstrated that the processing of personal data for statistical purposes was necessary with regard to obtaining consent from visitors. Consequently, the Datatilsynet found that the company failed to adhere to the requirement of consent voluntariness under the GDPR, and that the processing of statistical data under Article 6(1)(a) of the GDPR is unlawful, with reference to Articles 4(11), 5(1)(a), and 5(2) of the same.

Outcomes

Ultimately, the Datatilsynet stated that it had ordered the company to ensure that the consent it obtains from website visitors meets the requirements of Article 4(11) of the GDPR and demonstrate that the consent meets the requirement for voluntary consent, pursuant to Articles 5(1)(a) and 5(2) of the GDPR. In this regard, the Datatilsynet specified that the deadline for compliance with the order is 8 March 2023.

You can read the press release here and the decision here, both only available in Danish.