The General Data Protection Regulation (GDPR), which is applicable from 25 May 2018 for all European Union companies that process data of European citizens, as well as for those companies established outside the European Union that process data of European citizens, in relation to an offer of products or services offered to them, or with the analysis of their behavior within the EU; and the Spanish “Ley Orgánica de Protección de Datos y garantía de los derechos digital” (LOPDGDD), which has been fully applicable since 5 December 2018 and is binding within Spanish territory.

This law extends the obligation to inform users and requires companies to provide concise, transparent, intelligible and easily accessible information in clear and simple language.

The GDPR and the LOPDGDD extend the content of the information that companies must provide to users. For example, they should explain the legal basis for data processing, indicate the data retention period, provide the contact details of the DPO or Data Protection Officer (if one has been appointed by the company), and inform users of their right to address their complaints to the data protection authorities.

This laws will be understood that users’ consent is unequivocal when the user performs an affirmative action to consent to the processing of their personal data (for example, by clicking on a box that is not checked by default) and avoiding phrases formulated in negative such as “I do not want to receive commercial communications”.

The consent, in addition to unequivocal, must be explicit in the case of treatment of, among others:

  • Sensitive data.
  • Automated decision making.
  • International Transfers.

Therefore, those consents that are given by omission or are tacit, will be contrary to the GPDR and the LOPDGDD.

Cookies and the GDPR

Cookies are files that are downloaded to users’ computers, tablets, or smartphones when they access certain websites and applications that allow them to store users’ browsing preferences.

Thanks to this information, companies can collect data from user sessions. In this way, companies using this technology could use this data for statistical purposes, for marketing purposes or for personalized marketing purposes.

The first thing to keep in mind is that the cookie policies of websites must have a minimum content so that the user can have the necessary information as provided in the new regulations.

In this regard, the Spanish Data Protection Agency in its 10th annual open session has established that the information to be provided to users regarding cookies is as follows:

  1. The identification of the person responsible. In other words, which company (or individual) is going to collect and treat the data as the owner of the website.
  2. The purposes of the processing. In other words, what uses will be given to cookies, such as profiling or personalization of advertising.

It will be important to bear in mind in this section that, at the time the user is informed of the purposes of treatment, may not use expressions that give rise to confusion or expressions that imply “say nothing” (such as, for example, “we use cookies to customize their content and create a better experience for you”).

  1. The ability of the user to withdraw consent to the use of cookies on the website.
  2. International data transfers and the use of data protection safeguards (where applicable).

In addition to showing the user all the information summarized above, we must take into account the criteria established by the Agency with regard to obtaining consent from users who will be browsing the website.

An implementation in which users’ consent is obtained merely by continuing to browse shall be considered valid. The Agency offers us two possible formulas for configuring cookies, which may be: the Creation of a “first layer” with the possibility of accepting, rejecting and configuring cookies.

The configuration button must allow the user to access a panel that allows him to activate and deactivate cookies in a granular way. Creation of a “first layer” with the possibility of accepting and configuring cookies.

It is important to bear in mind that whoever chooses this model must inform that cookies may be rejected in the configuration panel.

LetsLaw

Letslaw reviews this new regulation in order to inform companies about the latest developments and their consequences both in Spain and in the rest of Europe, to facilitate the right of their businesses and the keys to adapting to government changes and the digital and technological environment.