EDPB orders Belgian regulator to examine VRT cookie complaint
The European Data Protection Board (EDPB) has instructed the Belgian Data Protection Authority to examine a complaint about VRT cookie banners on its merits rather than dismissing it as an alleged abuse of rights under the GDPR.
The EDPB published its binding decision of 28 May 2026 following a dispute between the Belgian and Austrian data protection authorities. The case concerns cookie banners used by Belgium’s public broadcaster, Vlaamse Radio-en-Televisieomroeporganisatie (VRT).
Austrian privacy organisation Noyb lodged the complaint with the Austrian Data Protection Authority on behalf of an individual. Because VRT is based in Belgium, the Belgian authority acted as the lead supervisory authority under the GDPR’s one-stop-shop mechanism.
The Belgian regulator proposed dismissing the VRT cookie banner complaint, arguing that the complainant had abused the rights provided under Articles 77 and 80(1) of the GDPR.
The Austrian DPA objected, arguing that the complaint should not be rejected on procedural grounds. Instead, it said the Belgian authority should assess the substance of the allegations and determine whether VRT’s cookie banners complied with the GDPR.
After the Belgian DPA declined to follow the objection, it referred the dispute to the EDPB under Article 65(1)(a) of the GDPR.
The EDPB concluded that the Austrian authority’s objection was both relevant and reasoned. Applying the Court of Justice of the European Union’s test for abuse of rights, the Board found that neither the objective nor the subjective element required to establish abuse had been demonstrated.
The decision does not determine whether VRT’s cookie banners violate the GDPR. Instead, it requires the Belgian DPA to assess the complaint on its merits and submit a new draft decision to the other supervisory authorities involved under Article 60(3) of the GDPR.
Why does it matter?
The decision reinforces the principle that GDPR complaints should generally receive a substantive assessment rather than being dismissed on procedural grounds without clear evidence of abuse. It also clarifies the high threshold regulators must meet before concluding that individuals have misused their rights under the GDPR.
The ruling further strengthens the GDPR’s cross-border enforcement system by confirming the role of the EDPB in resolving disputes between national data protection authorities and promoting consistent application of EU data protection law.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
