Cookies are only mentioned once within GDPR. Recital 30 states:

“_Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”_

In short, what this is stating is that when used to identify a device or, as with CANDDi, when used in conjunction with other data to identify the individual associated with that device it should be treated as personal data.

Personal Data is defined within the legislation in several ways:

Any Information that is linked back to an individual
Any information that could be linked back to an individual by another organisation (irrespective of who does this)
Personal information can also include information about a person's public or professional life.

This raises 2 interesting areas for the lawful processing of personal data

Under Article 6(1)(a) - For the processing of personal data to be legal this must have the consent of the data subject, or;
Under Article 6(1)(f) - It must be “Necessary for the purposes of legitimate interests pursued by the controller...”

Have more questions? Submit a request
Was this article helpful?
Thank you!