A few days before the Austria DSB decision, the European Data Protection Supervisor (EDPS) issued a decision on the use of Google Analytics by the European Parliament.
For Schrems II: EDPS says “if you don’t have any documentation to prove compliance, then you certainly can’t be compliant.”
Here are some key practice points, not just on Schrems II transfers, for all of us who engaging in cry and pray.
Controller Processor
- You can still determine use of cookies on a website without being a controller if you are doing this while operating under the controller’s general instructions (i.e. the setting up and functioning of the website).
- You may outsource the publication of a privacy notice to your processor but, a) you are still liable and b) be mindful of the fact that they may not be privacy notice experts either. Make sure you get sufficient guarantees that they can implement appropriate technical and organizational measures to carry out these tasks.
- Not providing sufficiently detailed instructions to your processor is a violation of the law.
- The responsibility for a compliant DPA between controller and processor lies with both controller and processor.
Mind your website design practices:
- Don’t copy paste code from one website to another indiscriminately. You may accidentally copy cookies and trackers that are not necessary. (This is universally right. Be careful when duplicating precedent.)
- Please make sure that your banners and disclosures are consistent across the different languages used in your website.
On Cookies:
- Once a cookie is installed on a device it can’t be deemed “inactive” even if it wasn’t actually used to transfer data.
- A cookie may only be considered strictly necessary if the service as such would not function without it. The choice of a certain implementation technique that relies on cookies is not sufficient to justify strict necessity if you have the choice of a different implementation that would work without cookies. Generally, the web services should be able to work without cookies requiring consent.
- Even first-party analytics, which are often considered as a “strictly necessary” tool for web service operators, are not strictly necessary to provide a functionality explicitly requested by the user and are consequently, in principle, subject to the requirement of consent.
Mind your privacy notices and cookie banners:
- A provision in a privacy disclosure that states that data will be stored “until the end of the provision of services,” based on a contract, is not in line with the principle of storage limitation because there is no link between the storage of the data and the provision of the services, which is undetermined time-wise.
- You need to list processors when describing data sharing.
- Cookie banner text should refer to the types of information accessed or stored through the cookies as well as the purposes for such access or storage, and the information conveyed through the banner should be identical in all linguistic versions. Finally, it should provide users the option to consent or not to the processing of non-essential cookies. In this regard, the banners should include an opt-in button allowing users to accept cookies, making it clear that by clicking on the button the users agree to the deployment of cookies.
- Cookie walls’ are not in line with the regulation, meaning that for consent to be freely given, access to the website’s service and functionalities should not depend on the users’ consent for cookies that are not strictly necessary in the sense described above.
- In cases where personal data collected through the cookies are shared with third parties, such as analytics partners, the cookie banner should draw the users’ attention to it.
On Schrems II:
- Transfers of personal data to the US can only take place if they are framed by effective supplementary measures in order to ensure an essentially equivalent level of protection for the personal data transferred.
- You must be able to provide documentation, evidence or other information regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.
On DSARs:
- You must provide complainants with confirmation as to the fact that their personal data had been processed in the context of the use of third party cookies on your website. If you subsequently demonstrate that it is impossible for you to identify the data subjects, you need to inform them of that too. .
- You must provide relevant DSAR information even if you are aware that the processing of the personal data in question was unlawful, as the main purpose of the right of access under is precisely to enable data subjects to become aware of the processing and verify the lawfulness thereof, or exercise other data subject rights.