Cookie & Social-Plugin

The General Data Protection Regulation (GDPR) [1] does not contain any explicit regulations on cookies. However, it is pointed out in the considerations that under certain circumstances online identifiers such as IP addresses and cookies can be assigned to natural persons. Cookies are therefore also considered “personal data” within the meaning of the GDPR. The concrete application of the GDPR to cookies is not always quite simple, since the legislator usually had other application areas of data collections in mind.

download full .pdf

Cookies as personal data

Regulation (EU) 2016/679; http://data.europa.eu/eli/reg/2016/679/oj.The GDPR and the Cookie Directive, which will soon be replaced by the ePrivacy Regulation, oblige website operators in the EU as well as in Switzerland[2] to use cookies in compliance with data protection regulations. The official authorities, probably due to the delays and differences of opinion in the ePrivacy Regulation, have only vaguely explained how these obligations must be fulfilled when cookies are used. In the meantime, however, national data protection authorities (e.g. ICO[3], CNIL[4]) have indicated what is required when cookies are used. In addition, the European Data Protection Board (EDPB) has adapted the Cookie Policy and the Cookie Banner on its website to show what is expected.

Lawful use of Cookies

Since personal data is also processed through the use of cookies, the website operator must guarantee the lawfulness of the processing and the clarification to the user. Today, this is usually done with so-called cookie banners, which inform users about cookies and, if necessary, obtain their consent. However, not all cookie banners meet the requirements of the applicable laws.

[1] Directive 2009/136/EC; http://data.europa.eu/eli/dir/2009/136/oj.

[2] As a website operator in Switzerland, it can be assumed that the EU DSGVO will also apply due to the website calls by users from the EU and the associated observation of behaviour (through tracking cookies). One way of not subjecting your website to the EU DSGVO is to restrict access only to Swiss IP addresses. However, since data protection will also be tightened in Switzerland in the coming years, implementation in conformity with the EU DSGVO is already recommended today.

[3] information commissioner’s office (data protection authority United Kingdom).

[4] Commission Nationale de l’Informatique et des Libertés (data protection authority France).According to the GDPR, the use of cookies with user-relevant data is only lawful if there is a justification according to Art. 6 GDPR. The existence of a legitimate interest or the consent of the data subject can be considered as justifications.A legitimate interest for website operators may exist if the use of cookies is necessary for the services offered or for security reasons. In doing so, the proportionality to the interests as well as the fundamental rights and freedoms of the data subject must always be protected. Therefore, the storage of the shopping cart in online shops or the cookies for identification and security in eBanking should be covered by the legitimate interest. However, as soon as there is no longer any legitimate interest or as soon as the user’s interest predominates, consent must be obtained.