Firstly, it must be highlighted that this is the first European guideline drafted between the industry and the Supervisory Authority. It has been jointly drafted with the industry associations Adigital (e-commerce association), Autocontrol (self-control advertising association) and IAB Spain.
Regarding the statutory information on cookies that must be offered according to the Spanish E-Commerce Act, the SDPA has established that this information may be given in a number of different ways:
> Offering the information in the heading or foot page of the website;
> For registered users, through the Terms & Conditions of the website;
The cookies policy shall include: the definition and function of each cookie; information on the types of cookies used; information on how to delete the cookies; and identification of the party that places the cookies (the editor or third parties).
Specific examples on the ways by which implicit consent may be valid are offered by the SDPA: the use of the scroll bar if the cookies information was visible before moving it; or if the user has clicked on any content of the website.
Other ways of obtaining consent mentioned by the SDPA are: i) accepting the website’s T&Cs or privacy/cookies policy; ii) through the configuration of the website’s functioning (Settings-led consent); iii) the moment at which a new function is offered on the website (Feature-led consent); iv) before downloading any specific content offered in the website; v) through the configuration of the browser.
Third Party Cookies
Regarding the debate about who must provide the statutory information and collect the user’s consent when the cookie is placed by a third party, the SDPA considers that both the owner/editor of the website and the third party are responsible for providing the statutory information and for obtaining consent. The SDPA also suggests that complying with this may be easier for the owner/editor of the website, and considers that these issues should be covered in the contract between both parties.
Cloud Computing Guides
The SDPA has also issued a “Guide for Clients that Contract Cloud Computing Services”, and a “Guide for Cloud Computing Providers”.
In the Guide for Clients, the main issues that arise regarding Cloud Computing Services are explained to users from a Data Protection point of view: the possibility that the services are provided from places that are not considered adequate from a Data Protection perspective, the specifications that must be in the contract in order that the cloud provider may subcontract the services, issues regarding accountability and portability of the Data, and the main risks that may come up from the use of Cloud Computing. The final section of the guide is intended to provide certain guidelines to Public Administrations on the contracting of Cloud Computing.
In the Guide for Cloud Providers, the main Data Protection legal issues are also summarized to offer some basic guidelines to Cloud Providers regarding the Data Protection legislation, as they will act as data processors of the client’s data. In addition, although it is not explained in this Guide, on November 2012 the SDPA published Standard Contractual Clauses for transferring data from processors located in Spain to subprocessors located in third countries, a mechanism that may be very useful for Cloud Providers.