Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark: Datatilsynet expresses criticism against JP/Politikens' website consent solution

The Danish data protection authority ('Datatilsynet') published, on 9 November 2022, its decision in Case No. 2021-41-0149, as issued on 27 October 2022, in which it had expressed criticism against JP/Politikens Hus A/S, a Danish media company, for violations of Articles 4(11), 5(1)(a), and 6(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation by the Datatilsynet. 

Background to the decision

In particular, the Datatilsynet stated that, in light of its specific focus on processing of personal data about website visitors in 2021, it had initiated an investigation on JP/Politikens' processing of personal data in connection with visitors to its website. In this regard, the Datatilsynet specified that, with regard to the consent solution used by JP/Politikens on its website, it gave visitors three options to choose from, namely 'necessary only', 'customise settings', and 'accept all'.

Further to this, the Datatilsynet noted that the text of the 'first layer' of the consent solution provides that information is collected for statistics and marketing purposes, whereas, only if the website visitor clicks on the 'customise settings' option, will they be redirected to the 'second layer' of the consent solution, which allows visitors to select and/or deselect consent for individual data processing purposes.

Findings of the Datatilsynet

Notably, the Datatilsynet found that the website visitors who, on the basis of the text in the first layer of the consent solution, selected the 'accept all' button, have not been adequately informed to be able to give valid consent, since information on adjusting preferences for individual processing purposes does not appear in the first layer. As such, the Datatilsynet noted that, since the requirements in Article 4(11) of the GDPR for valid consent have not been met, the consent obtained could not therefore form a basis for processing personal data pursuant to Article 6(1)(a) of the GDPR.

Moreover, the Datatilsynet stated that, in its view, JP/Politikens' choice of colour and design for the consent solution scheme had constituted a violation of Article 5(1)(a) of the GDPR. In this regard, the Datatilsynet explained that, since 'only necessary' was shown in a red field, 'customise settings' in a gray field, and 'accept all' in a green field, such a traffic light-like system may constitute a form of nudging visitors towards one option, and is thus incompatible with the principle in Article 5(1)(a) of the GDPR that personal data must be processed lawfully, fairly, and in a transparent manner.

Outcomes

Ultimately, the Datatilsynet expressed criticism against JP/Politikens for the abovementioned violations in connection with its website consent solution.

You can read the press release here and the decision here, both only available in Danish.

Feedback