Processors are recipients as defined in Art. 4 Nr. 9 GDPR and therefore Art. 13 section 1 lit. e GDPR obligates you to list them. This is in line with the general principle in GDPR, that your actions as controller shall enable the individual (called ‚data subject‘ in GDPR) to use its rights, e.g. Art. 15 to Art. 22 GDPR.
See also: page 2 bottom left DSK short paper on processing and Art. 28 GDPR (in German)
Alexander is great to work with. He is responsive, professional and full of good ideas. He has a commercial approach to everything he does, and is truly creative in how he finds legal solutions to your problems. He is extremely knowledgable and knows how to communicate this knowledge in a way that makes sense. He had an amazing insight into what it means to run an international technology company. A pure delight to work with!
Paragraph 39: „In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).“
Paragraph 40: „… A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. „
Paragraph 41: „This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.“
According to EDPB this also applies to situations in scope of the e-Privacy Directive (see footnote 25 on page 11 of EDPB guideline on consent).
– check your websites for such cookie walls as far as they are subject to GDPR, see Art. 3 section 2 GDPR
– in case you have applied cookie walls and your website is in scope of GDPR, change cookie banner or whatever you use to a legal possible version,
– in case your website in not in scope of GDPR check the applicable law in this regard and repeat this regular, as it is to expect that other jurisdictions will develop in the same direction
If you use cookie walls and users click on e.g. „accept“ or „accept cookies“ you do not have consent and therefore your processing in this regard is not allowed (see Art. 6 sec. 1 GDPR: „Processing shall be lawful only if…“).
Competent authorities therefore can use their powers to change this situation up to „to impose a temporary or definitive limitation including a ban on processing“, see Art. 58 section 2 lit. f GDPR. Which in essence would mean your website is off the internet.
Competent authorities also could impose administrative fines under Art. 83 GDPR. We all have learned in the past two years that authorities do use this power and fines are heftier than before GDPR. As cookie walls are easily detectable by automatic software checking on websites (e.g. crawlers), and authorities for long have learned to use them, it is foreseeable that some data protection authorities in Europe will use these tools to check on websites in their jurisdiction and act.
Any person (not only users or data subjects) potentially has a right to compensation and liability under Art. 82 GDPR.
In the moment it is still debatable if warning letters or cease and desist orders by competitors are possible, the courts – at least here in Germany – do have different opinions on that in the moment. Still it seems that a slight majority of courts say that these legal instruments are possible.