The Dutch Information Safety Authority (AP) diminished a penalty in opposition to AS Watson Well being & Magnificence Continental Europe B.V. to €50,000 on Could 27, 2025, following the corporate’s profitable enchantment of an earlier enforcement motion. The authority introduced the choice after figuring out that circumstances warranted moderating the unique high-quality imposed on Could 3, 2024.
In line with the AP’s choice doc, AS Watson had objected to the preliminary penalty, which stemmed from violations associated to monitoring cookies on the Kruidvat.nl web site. The unique investigation discovered that the corporate processed private information via monitoring cookies with out acquiring correct consent from web site guests, violating Article 6 and Article 5 of the Basic Information Safety Regulation (GDPR).
Get the PPC Land publication ✉️ for extra like this.
Abstract
Who: AS Watson Well being & Magnificence Continental Europe B.V., father or mother firm of Dutch drugstore chain Kruidvat, and the Dutch Information Safety Authority (AP)
What: The AP diminished an administrative high-quality from an undisclosed greater quantity to €50,000 for GDPR violations associated to monitoring cookies on the Kruidvat.nl web site
When: The diminished penalty was introduced on Could 27, 2025, following an enchantment of the unique Could 3, 2024 choice
The place: The Netherlands, particularly affecting the Kruidvat.nl web site operated by AS Watson Well being & Magnificence Continental Europe B.V.
Why: AS Watson processed private information via monitoring cookies with out acquiring correct consent from web site guests, violating Articles 5 and 6 of GDPR. The high-quality was diminished because of the prolonged procedural timeline, firm cooperation in acknowledging violations, and the comparatively minor severity of the breach in comparison with different potential violations.
The enforcement motion centered on AS Watson’s failure to determine a lawful foundation for processing private information collected via cookies throughout person visits to kruidvat.nl. In line with the authority, “AS Watson heeft nagelaten toestemming te vragen aan betrokkenen voor de verwerking van hun persoonsgegevens door (monitoring) cookies te gebruiken bij het bezoek van betrokkenen aan de web site kruidvat.nl.”
The enforcement motion centered on AS Watson’s failure to determine a lawful foundation for processing private information collected via cookies throughout person visits to kruidvat.nl. In line with the authority, AS Watson “didn’t ask for consent from information topics for the processing of their private information through the use of monitoring cookies throughout visits by information topics to the web site kruidvat.nl.”
The AP’s analysis thought of a number of components when figuring out the diminished penalty quantity. The authority utilized each its 2019 Coverage Guidelines for figuring out administrative high-quality quantities and the European Information Safety Board’s Tips 04/2022 for calculating administrative fines underneath GDPR. In line with the choice doc, each methodologies yielded the identical penalty quantity on this case.
Beneath the AP’s classification system, violations of Articles 5 and 6 of GDPR fall into Class III, which carries a penalty vary of €300,000 to €750,000. Nevertheless, the authority thought of a number of mitigating circumstances. In line with the choice, “the lengthy length of the process on the AP, with out the investigation and subsequent enforcement part justifying this therapy length, the popularity of the (full) violation by AS Watson, the minor severity of the violation” justified decreasing the high-quality.
The diminished penalty displays the AP’s evaluation of procedural components and firm cooperation. The authority famous the prolonged length of proceedings with out justification from the investigation and enforcement phases. Moreover, AS Watson’s full acknowledgment of the violations and the comparatively minor severity of the breach influenced the ultimate quantity.
The case illustrates ongoing regulatory concentrate on cookie compliance throughout European markets. Cookie-related enforcement has intensified all through 2024, with the Dutch DPA conducting extra compliance checks on web site implementations. The regulatory physique has revealed detailed technical tips for implementing compliant cookie banners, together with particular examples of acceptable and unacceptable practices.
Earlier enforcement actions display the AP’s constant strategy to cookie violations. In December 2024, the authority fined Coolblue €40,000 for comparable monitoring cookie violations on its on-line store. That case concerned pre-selected checkboxes for cookie consent and assumptions of customer settlement – practices explicitly prohibited underneath GDPR.
The AS Watson case follows a sample of serious penalties for cookie-related violations throughout the Netherlands. In July 2024, the AP initially fined Kruidvat €600,000 for unlawful monitoring cookies, representing one of many extra substantial penalties within the Dutch market. That enforcement motion highlighted violations together with pre-ticked packing containers for accepting monitoring cookies and complicated processes for customers trying to refuse cookies.
The technical violations recognized within the AS Watson investigation mirror widespread compliance failures throughout the business. Cookie consent mechanisms that fail to offer equally accessible choices for accepting and rejecting monitoring applied sciences have turn out to be a major enforcement goal. French authorities have similarly acted against deceptive cookie consent practices, figuring out points with visible hierarchies that stress customers towards accepting cookies.
The advertising and marketing business has intently monitored these enforcement developments as cookie compliance prices improve. GDPR enforcement statistics show authorities have imposed over 6,680 fines totaling roughly €4.2 billion since implementation. Eire’s information safety authority has levied the very best whole quantity at €2.8 billion, whereas Luxembourg follows at €746 million.
In line with the AP’s choice, the €50,000 penalty represents an quantity that’s “efficient, proportionate and deterrent.” The authority emphasised that the high-quality quantity ensures compliance with EU Constitution of Basic Rights necessities and Dutch administrative regulation ideas stopping disproportionate outcomes.
The enforcement timeline reveals the prolonged course of typical of knowledge safety investigations. The preliminary probe started in late 2019, with follow-up compliance checks carried out in April 2020. AS Watson ultimately rectified the violations in October 2020, however the formal enforcement course of continued via the Could 2024 choice and subsequent enchantment decision in Could 2025.
For corporations working cookie-based promoting applied sciences, the case underscores important compliance necessities. Legitimate consent mechanisms should keep away from pre-selected choices and supply equally outstanding selections for accepting or declining monitoring. The Planet49 case established in 2019 that pre-ticked packing containers don’t represent legitimate consent underneath GDPR, an interpretation actively enforced by regulators.
The diminished penalty quantity displays a number of components past the technical violations. The AP thought of the prolonged procedural timeline, firm cooperation in acknowledging violations, and the comparatively minor nature of the breach when in comparison with extra extreme information safety violations. These concerns align with established precedent in comparable cookie compliance instances.
AS Watson’s acknowledgment of violations throughout the enchantment course of probably influenced the penalty discount. Corporations that cooperate absolutely with investigations and implement vital corrections usually obtain extra favorable therapy in enforcement actions. The choice establishes a framework for the way regulatory authorities stability procedural equity with enforcement effectiveness.
The cookie compliance panorama continues shifting as browser producers implement new monitoring restrictions. Chrome’s implementation of Tracking Protection and comparable privateness options in Safari and Firefox have diminished reliance on third-party cookies. Nevertheless, first-party cookie implementations stay topic to consent necessities underneath GDPR.
Trade observers observe the significance of implementing technically compliant consent mechanisms earlier than regulatory scrutiny intensifies. The AS Watson case demonstrates that even acknowledged violations can lead to important penalties, although cooperation and remediation efforts might affect closing quantities. The €50,000 high-quality represents a considerable discount from potential most penalties however nonetheless displays significant enforcement motion.
The choice doc signifies that assortment of the high-quality will probably be dealt with by the Centraal Justitieel Incassobureau (CJIB). AS Watson has the choice to enchantment the choice to an administrative courtroom inside six weeks of the announcement date, although the corporate had already achieved a major discount via the preliminary enchantment course of.
Timeline
Source link
