Cookies are small text files that are saved on users’ devices when they visit a website. Cookies can be used to ensure the site’s technical functionality and targeted marketing, among other things.
For consent to meet the requirements set in the GDPR, users must have the opportunity to choose whether to accept or reject the terms offered. Consent can be given in a variety of ways, as long as it clearly indicates that the data subject accepts the proposal for the processing of their personal data. Valid consent cannot be given through silence, pre-ticked boxes or inactivity. Refusing and withdrawing consent must be as easy as giving it.
The Deputy Data Protection Ombudsman ordered the controller to bring its practices for obtaining consent into compliance with the GDPR. The Deputy Data Protection Ombudsman’s decision can be appealed in the administrative courts and is not final.
Consent must meet the requirements of the GDPR
The requirements for consent set in the Directive on Privacy and Electronic Communication have been implemented in Finland in the Information Society Code enforced by the Finnish Transport and Communications Agency Traficom. The GDPR’s provisions on consent do not include a national margin of manoeuvre, meaning that they are applied by the Member States as they are. In Finland, compliance with the GDPR is enforced by the Data Protection Ombudsman.
Dozens of similar cases are currently being processed by the Office of the Data Protection Ombudsman and will be resolved in line with the ruling now given.
The European Data Protection Board published updated guidelines on consent as the basis of processing personal data
The European Data Protection Board adopted an updated version of the guidelines on consent on 4 May. No major changes were made to the guidelines, but questions on cookies and ways of asking for the data subject’s consent are illustrated with new examples. The guidelines are in line with the Deputy Data Protection Ombudsman’s ruling.
The European Data Protection Board is responsible for the uniform application of the EU General Data Protection Regulation in the European Union. The Data Protection Ombudsman represents Finland on the European Data Protection Board.
Deputy Data Protection Ombudsman’s decision on giving consent for cookies in Finlex (in Finnish)
Guidelines of the European Data Protection Board: Guidelines 5/2020 on consent under Regulation 2016/679
Deputy Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi