The Czech Republic DPA conducted an annual audit program to ensure GDPR compliance in terms of cookie processing.
The Authority’s president stated that:
if there is noncompliance, there will be economic sanctions.
The most serious flaws were discovered in the requirements for free consent and information to be given to the user, such as:
- use of non-technical cookies without consent;
- the lack at the first level of the banner of the ability to express refusal to the use of non-technical cookies;
- the difference in the visibility of consent and non-consent buttons for the use of non-technical cookies;
- improper categorization of cookies;
- absence of information about the individual cookies used;
- information about cookies placed in a foreign language.
The survey findings were published on the Authority’s website, with a link at the bottom to specific FAQs relevant to this topic.
Sort on time? Below we’ve summarized the Czech Republic’s FAQs about cookie processing.
Cookie Processing GDPR Compliance in the Czech Republic FAQ
1. Do I have to get the user’s consent to store all cookies?
For technical cookies, consent is not necessary; however, this exception only applies to the storage and reading of cookies in the user’s browser.
Personal data is typically processed even through technical cookies, and any further processing of this data must therefore comply with the general legislation.
2. What are the conditions for granting consent?
Above all, consent should be free, specific, informed, and unequivocal. The data subject must have the simple option of refusing consent without fear of repercussions (e.g. unavailability of website content).
3. Is it possible to give consent through a browser?
This option is not ruled out by the Office. The administrator of personal data must be able to demonstrate that the user has given consent to the processing (for individual purposes).
4. How to inform users about cookies when obtaining consent?
The information presented should be straightforward and understandable to the ordinary user. The structure of the information will change depending on the number of cookies stored. It will seem different if you store one cookie and no data is transferred to other entities, and it will look different if you store dozens of cookies and data is processed by a lot of other companies. More thorough information should be presented in a structured format for greater clarity.
5. Do I have to allow the user to revoke the consent given?
Yes. Consent to the processing of personal data can be canceled at any time by the data subject, and withdrawing consent should be as simple as providing it.
6. Is it possible to process personal data through cookies on the basis of legitimate interest from January?
Yes. The obligation to obtain consent to store and read cookies in the user’s browser (as required by the Electronic Communications Act) must be distinguished from future personal data processing (analysis, profiling, etc.), which is completely subject to the General Regulation’s regime.
7. Is it possible for the “Accept All” button to be a different color than the “Reject All” button?
The appearance and color of the buttons should be chosen in such a way that the data subject has the freedom to choose whether or not to provide consent. The “I agree” button, for example, should not be significantly larger or more colorful than the “Reject” one.
The banner below is an example of a compliant cookie notice – once implemented in accordance with the law. Remember that cookie notices are just one part of the cookie consent management requirements of the Cookie Law and GDPR. In order to be fully compliant, you must also link to an accurate cookie policy and block cookies prior to user consent.
8. Does the “Reject All” button need to be visible at first glance? Is it possible to place it all the way to Settings?
The decline button should be on the same level as the accept button in order for the data subject to have a free choice.
9. Is it possible to have YES checked in advance for analytical and marketing cookies?
As per the General Regulation, which follows from Recital 32, pre-ticked boxes cannot be considered consent.
10. Is it necessary to inform about all individual cookies that the user accepts? Where, if any, should the statement be placed?
A list of individual cookies, together with their purpose, is highly suggested. The location of this information must be evaluated in relation to the number of cookies so that the information presented is clear and easy to access. The information can therefore be immediately in the structured cookie bar, for example, after clicking “more information,” or there can be a link to a document containing cookie information.
11. Can I prevent the customer from using the site before giving consent to cookies?
According to recital 32 of the general regulation, if the data subject expresses consent through an electronic request, this request must not interfere with the use of the service.
12. If the user closes the cookie bar, can I consider this as consent?
No, the user must express his consent clearly. If the user can close the bar without indicating whether or not he consents, closing it and then continuing on the website cannot be considered consent.
13. How long can consent to the storage of cookies be stored and when can consent be requested again in case of its previous refusal?
In general, 12 months can be considered a reasonable period for which consent to the use of cookies was granted.
If the user declines to grant consent, he or she should not be requested to do so again for at least 6 months following the last display of the cookie bar. This period may be reduced if:
- one or more processing circumstances have dramatically altered; and
- the operator is unable to monitor past consent/disagreement (e.g. the user has deleted the cookies stored on his device).
How can iubenda help?
If you need help getting compliant then you’re in the right place. We help with the legal requirements, so you can focus on the business. Our attorney-level solutions make your websites and apps compliant with the law across multiple countries and legislation.
Easily generate a fully customizable cookie banner, seamlessly collect consent and implement prior blocking with asynchronous re-activation, by clicking here!