Changes in the processing of cookies as a result of the new Electronic Communications Act
Changes take effect from 01/02/2022.
Cookies
What are cookies?
Cookies can be characterised as text files stored on the end device (computer or mobile device) of a website visitor. The files are stored locally when visiting the website. Cookies also allow us to analyse the use of our websites. They must not include any personal data and it is not possible to use them to identify you on third-party websites – including the websites of analytics providers. Consent is required.
What cookies we use based on various criteria:
We only use essential cookies that enable the proper functioning of our website.
We divide them into:
so-called temporary (session) cookies (automatically deleted after the web browser is closed)
so-called permanent (persistent) cookies (remain stored on the disk even after the web browser is closed)
so-called third-party cookies, which are created by a person other than the website operator
so-called first-party cookies – used for website analytics (statistical evaluation of website traffic)
Such data processing occurs in accordance with the provision of Section 55(5) of Act No. 351/2011 Coll. on Electronic Communications (the act is valid until 31/01/2021). From 01/02/2022, the new Act 452/2021 Coll. on Electronic Communications comes into effect. Section 109(8) imposes the obligation to have demonstrable consent for obtaining information from the end device of a website visitor.
Consent in accordance with Article 6(1)(a) of the Regulation is required for the processing of cookies in the following cases:
· Those used for the technical storage of data or access to them
· Those whose purpose is the transmission or facilitation of the transmission of a message through a network
· Those which are necessary for the information society services provider to provide an information society service explicitly requested by the user
· Must retain proof of the visitor's consent to the selected group of cookies
It is possible to use cookies without the website visitor's consent (e.g. statistical cookies). Technical cookies must always be processed, otherwise the website would not work (chat window), therefore the operator does not need consent for them. Technical cookies include tracking the number of website visitors without further identification.
The data subject has the right to withdraw consent to the processing of personal data concerning them at any time. The data subject may withdraw consent in the same manner in which it was granted. Consent will not be considered to be granted freely if the data subject does not have the option of freely choosing to grant consent. Consent cannot be defined in advance; it must be granted actively by the data subject themselves. We do not recommend collecting other cookies based on the so-called legitimate interest of the controller.
A cookie banner is not necessary if the website does not process any data.
General rules for using cookies:
Step 1:
· It is necessary for the controller to examine the website, e.g. what cookies it processes, what it uses them for and also for what purpose it uses them.
· During the analysis of the use of cookies on the given website, we recommend evaluating the necessity and benefits of each type of cookies. A simple rule applies, according to which if the controller does not even need certain cookies, it is more appropriate to completely remove them from the given website.
Step 2:
On the website, it is necessary to create a cookie banner, which should include:
· Closing the cookie banner with the cross
· It should not block the browsing of the website
· When visiting the website, the cookie banner should not bother the website visitor
· The visitor should accept or reject cookies at the first opportunity
· The website administrator (IT technician) can create their own cookie banner or opt to purchase a ready-made software solution
· The option to open cookie settings and choose which cookies to accept/reject; if we provide cookies to third parties, e.g. to Facebook (using Facebook pixel), it is necessary to obtain consent not only for the given purposes but also for third parties
· The website visitor must have the option to return to the granted consent to the use of cookies at any time and change them (the website visitor can change their decision in the browser settings)
· In the case of effective withdrawal of consent to the processing of a certain category of cookies, it is necessary to immediately stop processing these cookies The granted consent must be possible to withdraw at any time, and its withdrawal should be as simple as its granting – i.e. if obtaining consent requires one click, the same number of clicks should be required to withdraw consent
· In the event of any changes in the processing of personal data through cookies, it is necessary to request consent to processing again
On the first layer of the cookie banner, the website operator must have the buttons (A) "MANAGE OPTIONS" x "ACCEPT ALL" x "REJECT ALL"
In the event that the website is managed or personal data is processed by an external company/sole trader, it is necessary to have a processing contract concluded with this entity
Step 3:
Information obligation imposed by GDPR:
· what cookies will be processed on the controller's website
· what the purpose of processing is
· legal basis
· the maximum permitted processing time (we recommend minimising processing) is 13 months from the date of the last visit
· recipients
· contact details of the controller
· rights of the data subject
Conclusion:
1. The Office for the Regulation of Electronic Communications and Postal Services may impose a fine on a legal or natural person (business) who violates Section 109 of Act 452/2021 Coll. ranging from EUR 200 to 10% of the turnover in accordance with Paragraph 6 for the previous accounting period pursuant to Section 124(1) of this Act.
2. The Office for Personal Data Protection may impose a fine for non-compliance with obligations related to cookies regulation (especially regarding the granting of consent to cookie processing and transparent information about cookie processing) of up to EUR 20,000,000 or 4% of the total annual turnover of the group.