In the Focus of European Personal Data Protection Bodies: Cookie Rules and Data Transfer to Controller’s Partners

In the Focus of European Personal Data Protection Bodies: Cookie Rules and Data Transfer to Controller’s Partners

March 27, 2024

In one of our previous texts (available here), we wrote about the guidelines of the European Data Protection Board (“EDPB”) regarding the appearance and content of cookie notices. In that context, below we provide more information about the new practice of the national data protection authorities (“DPA”).


The Belgian DPA recently dismissed a complaint regarding the absence of a “Reject All” option on the first, i.e., initial level, i.e., layer of cookie banners.

This decision was made because in the specific case, on the mentioned first level of the banner, the user was provided with the option “Confirm My Choices”, the selection of which did not imply the setting of any non-essential cookies.

Namely, the user could choose between “Accept All” and “Confirm My Choices”, with the latter option having the same effect as “Reject All” in the specific case, i.e., using only strictly necessary cookies.

Additionally, the DPA took into account the fact that the banner could be accessed at any time to change cookie settings (via an icon in the website corner).


In July 2023, the Spanish Data Protection Authority (“AEPD”), made revisions to its cookie usage guidelines to align with the latest directives from the EDPB. These updated guidelines, which came into effect on January 11, 2024, are mandatory for all websites targeting Spanish visitors.

According to the new guidelines, certain cookies used for obtaining traffic or performance statistics may be exempt from the requirement for user consent under the following conditions:

  • The data collected must be strictly limited to what is necessary for providing the service.
  • Processing of this data must be carried out solely on behalf of the website publisher.
  • The processing can only be used to generate anonymous statistical data.
  • These cookies or similar technologies must not link the data collected with other processing activities.
  • Data collected through these cookies or similar technologies must not be shared with third parties.
  • These cookies or similar technologies must not enable tracking of a user’s browsing activities across different websites or applications.

For cookies requiring user consent, the AEPD suggests that consent should remain valid for a maximum of 24 months. After this period, websites should seek renewed consent from users to continue using cookies.

Regarding cookies serving functions not requiring explicit consent, it is recommended to minimize their lifespan as much as possible while still fulfilling their purpose. This approach to cookie duration aligns with broader principles of data protection, ensuring that user data is not retained longer than necessary and that user preferences are regularly updated to reflect current consent.


In France, a fine was recently imposed on a data controller for conducting telephone surveys of individuals using data for which there is no legal basis for processing.

Specifically, the controller is a company engaged in marketing and loyalty program management (e.g., cards) and, to promote its activities, it conducted telephone surveys of potential customers using data previously purchased from various suppliers, who had collected that data through specific online forms.

During the investigation, the DPA found that these suppliers, regarding the completion of the mentioned forms, communicated to the data subjects that by providing the data, they consented to its use by the suppliers’ partners. However, the controller was not included on the list of those partners, nor was the processing notice provided in compliance with regulatory requirements (sufficiently transparent).

Accordingly, the supervisory authority found that in this specific case, the controller lacks a valid legal basis for processing personal data, i.e., legitimate interest or consent from the data subjects.

Namely, the controller did not directly collect the data from the data subjects, which is not inherently prohibited. However, in this specific case, consent was not obtained either on behalf of the controller or directly from the controller. Additionally, due to the same reasons, the controller in this specific case could not rely on legitimate interest, i.e., it did not ensure that the processing does not infringe upon the rights and interests of the data subjects, considering their reasonable expectations.


Regarding the previously mentioned list of partners with whom personal data is shared, in one of our previous texts (available here), we wrote about the extent, i.e., scope of the right of access to personal data.

According to the European Court of Justice’s stance, before the specific transfer of personal data is made, where individual recipients of such data cannot be identified, the controller must provide the data subjects with information about the entities to whom the data may be disclosed, which may include a specific category of recipients. However, after the data transfer has been made, upon request from the data subjects, the controller must inform them of the identity of the specific recipients to whom the data has been disclosed.

In other words, in order for data subjects to exercise their right of access to such data in its entirety, i.e., to achieve the purpose for which the right is established, they must know the identity of the individual recipients of that data, i.e., the entities with whom the controller has shared it.

As can be seen, the principles of lawfulness, fairness and transparency, as well as the principle of accountability provided by the GDPR and the Law on Personal Data Protection of the Republic of Serbia, are consistently implemented through the right of data subjects to be informed about all relevant aspects of processing before the processing begins, as well as through the accompanying right of access, which by its nature also constitutes the right to be informed.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.