ePrivacy Regulations and GDPR
Third Party Processors
Consideration is also given to the need to assess relationships with third parties whose assets are deployed on a website, for instance the use of “like buttons”, plugins, widgets, pixel trackers or social media sharing tools. There is a requirement to be aware of the information that is collected and disclosed to these third parties, in particular engaging a third party to process payments where a controller-processor contract will need to be in place with that organisation to meet the requirements of Art 28(3) of the GDPR.
Record of Processing Activities
It is important to note that it is not necessary that a cookie contain personal data in order that the user’s consent be required to set it. Under Art 30 of the GDPR, there is a requirement to maintain a comprehensive record of each specific type of processing as part of your record of processing activities, which includes processing relating to cookies and other tracking technologies.
Special Categories of Personal Data
Storage Limitation Principle
The DPC also noted that the lifespan of a cookie should be proportionate to its function. This is in line with the storage limitation principle under the GDPR. Organisations should check their current practices and make the necessary changes to comply with this principle.
Now that the DPC has issued guidance, organisations should ensure that their approach is compliant.
Our Data Protection Support Services team can assist you in implementing a successful data protection programme, achieving and maintaining compliance with EU data protection requirements while delivering security, productivity, risk management and cost-efficiency benefits. View our GDPR Service Offering for more information.
To read the guidance note, click below:
For a summary of the DPC findings and recommendations, see report below: