Cookies are only mentioned once within GDPR. Recital 30 states:
“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In short, what this is stating is that when used to identify a device or, as with CANDDi, when used in conjunction with other data to identify the individual associated with that device it should be treated as personal data.
Personal Data is defined within the legislation in several ways:
- Any Information that is linked back to an individual
- Any information that could be linked back to an individual by another organisation (irrespective of who does this)
- Personal information can also include information about a person's public or professional life.
This raises 2 interesting areas for the lawful processing of personal data