On the 6th April, the DPC issued a Guidance Note (GN) on Cookies and other tracking technologies. This Guidance note follows an examination by the DPC of the use of cookies and other similar technologies on a selection of websites across a range of sectors. The DPC will allow a period of 6 months from the publication of the guidance for controllers to bring their products, including websites and mobile apps, into compliance, after which enforcement action will commence.

ePrivacy Regulations and GDPR

The GN outlines the requirements under the ePrivacy Regulations 2011 and GDPR for the use of cookies and other tracking devices for the processing of personal data, including the law on cookies and it’s purpose, requirements for consent, provision of “clear and comprehensive information” about the use of cookies and the requirements for cookie banners.

Third Party Processors

Consideration is also given to the need to assess relationships with third parties whose assets are deployed on a website, for instance the use of “like buttons”, plugins, widgets, pixel trackers or social media sharing tools. There is a requirement to be aware of the information that is collected and disclosed to these third parties, in particular engaging a third party to process payments where a controller-processor contract will need to be in place with that organisation to meet the requirements of Art 28(3) of the GDPR.

Record of Processing Activities

It is important to note that it is not necessary that a cookie contain personal data in order that the user’s consent be required to set it. Under Art 30 of the GDPR, there is a requirement to maintain a comprehensive record of each specific type of processing as part of your record of processing activities, which includes processing relating to cookies and other tracking technologies.

Special Categories of Personal Data

If your organisation is processing special categories of personal data through information derived from cookies, this is subject to stricter rules under Art 9 of the GDPR. The only legal basis your organisation is likely to have for the processing of any special category data derived from the use of cookies or other tracking technologies is the explicit consent of those individuals whose data you are processing.

Storage Limitation Principle

The DPC also noted that the lifespan of a cookie should be proportionate to its function. This is in line with the storage limitation principle under the GDPR. Organisations should check their current practices and make the necessary changes to comply with this principle.

Location Tracking

The GN also outlines the requirements regarding the use of cookies and other technologies to track the location of a user i.e. the need for consent. The Court of Justice of the EU recognised the sensitivity of location data because it can be used to derive very precise information about individuals and their behaviour, including daily movements and activities, places of residence, social relationships and the social environments they frequent.

Now that the DPC has issued guidance, organisations should ensure that their approach is compliant.

Our Data Protection Support Services team can assist you in implementing a successful data protection programme, achieving and maintaining compliance with EU data protection requirements while delivering security, productivity, risk management and cost-efficiency benefits. View our GDPR Service Offering for more information.

To read the guidance note, click below:

For a summary of the DPC findings and recommendations, see report below:

 

 

The Data Protection Commission have published an information note on data breach trends identified by their Breach Assessment Unit in the first year of GDPR.

Some of the trends and issues identified by the Breach Assessment Unit include:

  • Late notifications;
  • Difficulty in assessing risk ratings;
  • Failure to communicate the breach to data subjects;
  • Repeat breach notifications; and
  • Inadequate reporting.

You can view the full information note here.

At Crowleys DFK, we are dedicated to helping you achieve GDPR compliance. Our Data Protection Support Services’ team offer the following services:

  • Preparing a Gap Analysis between current practices and those required under the current legislation and regulation.
  • Ensuring Data Protection, Records Management and Retention Policies and Procedures are in line with current legislation and regulations.
  • Conducting Data Mapping exercise.
  • Developing Privacy Notices/Disclosures for your organisation.
  • Determining if a Data Protection Impact Assessment is required by your firm and provide assistance in implementing.
  • Providing support to your appointed Data Protection Officer/Privacy Officer and ensuring their roles and responsibilities fully include the requirements under the GDPR.
  • Providing GDPR workshops/training to Board members and staff.

For assistance or advice on Data Protection, please contact Pamela Nodwell, Manager in our Governance, Risk & Compliance Department.