Storage and access includes: access to hardware device identifiers, advertising identification numbers, telephone numbers, SIM card serial numbers (IMSI), contacts, call lists, Bluetooth beacons or SMS communication, MAC addresses and browser fingerprinting. 2/11
You can get consent to store and access information and consent for further processing under GDPR 6(1)(a) at the same time if: you inform the users of all purposes (including of the subsequent processing), and it is clear to the user that several consents are given at once 3/11
The mere further use of a website or app, e.g. through actions such as scrolling down, surfing through website content, clicking on content or similar actions does not constitute effective consent 4/11
If a banner or other graphic element for requesting consent obscures access to the website as a whole or parts of the content and the banner cannot simply be closed without a decision consent is not freely given 5/11
CMP's - legally compliant consent is by no means automatically obtained through the use of the CMP alone. The responsibility for the effectiveness of the consent obtained remains with the respective provider of the telemedia service. 6/11
Not every use of cookies or subsequent tracking requires consent per se, so corresponding consent banners should only be used if consent is actually required. Otherwise, the misleading impression is created that the data subjects have a choice, although this does not exist 7/11
Banners must have: Separate HTML element; Provide full information; no further scripts loaded; Access to imprint and privacy policy not hindered; For every option to give consent give an option to reject; Store the submission of consent so that the banner does not reappear. 8/11
In the context of tracking, the requirements of Article 6 (1) (f) of the GDPR are only met in a few constellations in practice 9/11
For international transfers (US cookie providers) SCC's are not sufficient. You need to conduct a TIA and see whether supplementary measures are necessary. 10/11
consent is not sufficient for the transfer; the scope and regularity of such transfers regularly contradict the character of Art. 49 GDPR as an exceptional provision
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I can feel something inside me say
I really don't think (your legitimate interest) is strong enough now
- says @Datatilsynet to Shinigami Eyes browser extension. (Thread while you hum the Cher song in your head) 1/6
The data subjects’ interests, rights and freedoms precedes Shinigami Eyes’ interest in providing their marking-application 2/6
The individuals had no knowledge of the processing and no way to expect that their messages or behavior on certain social media pages will be processed on the extension or communicated to all who download it 3/6