Abstract

The use of cookies is subject to regulations which protect two different legal interests, namely users’ personal data and privacy. To the extent a cookie ID is recognized as a personal data the rules for admissible processing of this information are laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Placing cookies in users’ end devices is regulated by the provisions of Art. 173 of the Telecommunications Act of 16 July 2004. The independent nature of the legal regimes of the GPRD and the Telecommunications Act makes it necessary to perform a separate analysis of the legal basis for the actions covered by those regulations. For the processing of cookies as personal data it will be either the consent of a data subject or a legally justified interest of a data controller. Under the Telecommunications Act the sole prerequisite legitimizing placement and reading of cookies is the consent of a subscriber or user. With a view to the contents of Art. 94.1 of the GDPR, to be effective the consent under the Telecommunications Act should fulfil the conditions of validity (legitimacy) laid down in Regulation 2016/679 (“freely given”, “specific”, “informed”, “unambiguous”). Users may give their consent also in a situation whereby they do not change “the settings of the software installed in the end telecommunications device they use or configuration of the service” (Art. 173.2 of the Telecommunications Act) providing all of the following three conditions are fulfilled. First, cookies may not be placed before consent has been given by the user. Second, the user should have been first provided with the information specified in the GDPR and the Telecommunications Act. Third, any form of user’s activity is required, e.g. pressing the “go to service” button.