Spanish Data Protection Agency issues Guides on Cookies and Cloud Computing

09 May 2013

Javier Fernandez-Samaniego

Following the Spanish Data Protection Agency’s (“SDPA”) 5th Open Doors Annual Meeting, a Guide on the Use of Cookies, and two Guides on Cloud Computing for Users and for Service Providers have been issued by the Spanish DP Supervisory Authority.
Guide on the Use of Cookies

Firstly, it must be highlighted that this is the first European guideline drafted between the industry and the Supervisory Authority. It has been jointly drafted with the industry associations Adigital (e-commerce association), Autocontrol (self-control advertising association) and IAB Spain.

Since the implementation in Spain of Directive 2009/136/EC in March 2012, the lack of guidance on how the new Article 22.2 of Law 34/2002 (“Spanish E-Commerce Act”) should be applied by websites had led to a general non-application of this law. With the issuance of this Guide, the SDPA tackles the main controversial issues surrounding how the cookies regulation must be applied: the ways by which the statutory information on the use of cookies must be provided, the ways of obtaining a user’s consent, and how this applies to third party cookies.

Information on the Use of Cookies

Regarding the statutory information on cookies that must be offered according to the Spanish E-Commerce Act, the SDPA has established that this information may be given in a number of different ways:

> Offering the information in the heading or foot page of the website;

> For registered users, through the Terms & Conditions of the website;

> Through a banner that offers some basic information (a “first layer”), that must include: the use of non exempted cookies, the specification of their purposes and of the existence third party cookies, information on the action by which consent to the use of cookies may be implied, and a link to the cookies policy (“second layer”).

The cookies policy shall include: the definition and function of each cookie; information on the types of cookies used; information on how to delete the cookies; and identification of the party that places the cookies (the editor or third parties).


Through this Guide, the SDPA has formally accepted users’ implicit consent for the use of cookies. However, this implied consent must be given through some kind of specific action: the SDPA expressly excludes that the user’s inactivity implies consent for the use of cookies.

Specific examples on the ways by which implicit consent may be valid are offered by the SDPA: the use of the scroll bar if the cookies information was visible before moving it; or if the user has clicked on any content of the website.

Other ways of obtaining consent mentioned by the SDPA are: i) accepting the website’s T&Cs or privacy/cookies policy; ii) through the configuration of the website’s functioning (Settings-led consent); iii) the moment at which a new function is offered on the website (Feature-led consent); iv) before downloading any specific content offered in the website; v) through the configuration of the browser.

Third Party Cookies

Regarding the debate about who must provide the statutory information and collect the user’s consent when the cookie is placed by a third party, the SDPA considers that both the owner/editor of the website and the third party are responsible for providing the statutory information and for obtaining consent. The SDPA also suggests that complying with this may be easier for the owner/editor of the website, and considers that these issues should be covered in the contract between both parties.

Cloud Computing Guides

The SDPA has also issued a “Guide for Clients that Contract Cloud Computing Services”, and a “Guide for Cloud Computing Providers”.

In the Guide for Clients, the main issues that arise regarding Cloud Computing Services are explained to users from a Data Protection point of view: the possibility that the services are provided from places that are not considered adequate from a Data Protection perspective, the specifications that must be in the contract in order that the cloud provider may subcontract the services, issues regarding accountability and portability of the Data, and the main risks that may come up from the use of Cloud Computing. The final section of the guide is intended to provide certain guidelines to Public Administrations on the contracting of Cloud Computing.

In the Guide for Cloud Providers, the main Data Protection legal issues are also summarized to offer some basic guidelines to Cloud Providers regarding the Data Protection legislation, as they will act as data processors of the client’s data. In addition, although it is not explained in this Guide, on November 2012 the SDPA published Standard Contractual Clauses for transferring data from processors located in Spain to subprocessors located in third countries, a mechanism that may be very useful for Cloud Providers.