Inspection by GBA - X - 'Y' website

€ 15.000 in fines


The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.

Our analysis

In June 2019, the ADP/GBA investigated a company's webpage for potential violations of GDPR articles 6(1)(a), 12, and 13. The GBA submitted a report detailing several violations, including non-compliance with the GDPR and the national law implementing the ePrivacy Directive in the company's privacy statement and cookie policy. The policies did not provide transparent information on the data subject's rights and their exercise, which was a violation of Article 12 GDPR. Additionally, the company did not provide information on the legal basis for processing, data subject's rights, or retention period, which was in breach of Article 13 GDPR. Moreover, the company did not obtain consent for the use of cookies, and pre-ticked boxes were used to obtain consent for the installation of cookies. This practice was contrary to the national law implementing the ePrivacy Directive and Articles 6(1)(a) and 7 GDPR in light of Article 4(11) and Recital 32 GDPR. The company used deceptive patterns like preselection, forced action, and hidden information to obtain user consent, which violated GDPR laws.


The company was found to have violated national laws implementing the ePrivacy Directive and the GDPR by the Belgian Data Protection Authority (GBA). The GBA issued a decision confirming the violations mentioned and imposed a fine of €15,000 as a consequence.


Anonymous Y website and GBA

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us