Since the beginning of this year, the Czech Data Protection Authority has issued fines totaling CZK 4,443,000 (approx. 185.000 EUR) to various website providers for breaches of the GDPR and national implementation of the ePrivacy Directive in connection with the processing of personal data via cookies.
The highest enforceable fine of CZK 898,000 was imposed on a company operating in the field of electronic communications, primarily for uploading cookies, which were used to process personal data for marketing purposes, to end users’ devices without their consent.
The most frequent or most significant violations of the GDPR identified by the Authority included:
- Uploading cookies to end users’ devices without their consent (in the case of cookies, which are not covered by the exemption under ePrivacy Directive);
- Shortcomings in consent to the processing of personal data (e.g. in terms of sufficient information to users);
- Insufficient fulfilment of the information obligation (insufficient classification of individual cookies or information available only in English);
- The impossibility (or significant complication) of withdrawing consent to the processing of personal data through cookies;
- Placement of options for “consent” and “opt-out” with the processing of personal data through cookies in different layers within the cookie banner, whereby the visitor is influenced to give consent (so-called DDP – Deceptive Design Pattern);
- The cookie banner either does not react or does not react sufficiently to the individual settings of the processing of personal data via cookies.
