CNIL in France is very actively handing out fines in impressive amounts. It has imposed two fines on Google for violating the cookies rules which are in sum €100 million and it fined Amazon at €35 million.
Both cases have the same background
- Google.fr and Amazon.fr placed advertising cookies at users computers without prior consent, and
- they both did not inform the users and therefore the transparency rules of Art. 13 GDPR are violated.
Link to the press release on Google is here in English language.
Link to the press release on Amazon is here in English language.
- Do not wait until the authority knocks on your door, get it right before.
- As data privacy and especially the area of cookies, consent on cookies and transparency, is a quickly developing landscape, check the lawfulness of your solution at least once a month or every two months.
- In case the information collected by the cookie is send to a location in EU or EEA and not forwarded to a country outside EU and EEA, you should be fine without a safeguard for international data transfer.
- In case the information collected by the cookie is send to location in EU or EEA and then forwarded to a country outside EU and EEA, then you will need a safeguard in the light of Schrems II judgement.
- In case the information collected by the cookie is directly send to a location outside the EU or EEA, then you will need to do a decision if you a safeguard for international data transfer is needed or if the provider of that cookie is directly subject to the GDPR under Art. 3 section 2 GDPR and therefore it might that a safeguard for international data transfer is not needed, especially if the website is hosted outside EU or EEA.
- You will need to implement GDPR to these actions.
- Depending on the legal, technical and organizational solution you will need or not need to provide for a safeguard for international data transfer.
Contact me if you need help in this, see imprint at the bottom of this page for contact details.