FDPIC: Gui­de­lines on coo­kies and simi­lar technologies

On its web­site, the FDPIC recent­ly published a new ver­si­on dated Janu­ary 22, 2025. FDPIC gui­de­lines on data pro­ce­s­sing using coo­kies and simi­lar tech­no­lo­gies published. An announce­ment is still pending.

The gui­de­lines had been awai­ted for a long time, and draf­ting them was not easy due to the varie­ty of tech­no­lo­gies used for track­ing. In terms of con­tent, some of the gui­de­lines are not sur­pri­sing, but some are very.

The FDPIC essen­ti­al­ly demands the following:

Requi­re­ment Vali­di­ty Imple­men­ta­ti­on
Infor­ma­ti­on All per­so­nal coo­kies; increa­sed requi­re­ments for sen­si­ti­ve processing Pri­va­cy poli­cy with link in the footer
Right of objection All non-essen­ti­al coo­kies if con­sent is not required Right to object, tech­ni­cal­ly exer­cisable at any time (banner/consent management)
Con­sent Non-neces­sa­ry coo­kies that are qua­li­fi­ed unexpected Opt-in, if neces­sa­ry con­fir­ma­ti­on of a pre-ticked check­box; ongo­ing revo­ca­ti­on opti­on (banner/consent management)
Expli­cit consent Coo­kies that pro­cess par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or car­ry out high-risk pro­fil­ing (fede­ral bodies: any profiling) Acti­ve opt-in (no pre-ticked check­box); ongo­ing revo­ca­ti­on opti­on (banner/consent management)

The gui­de­lines are the­r­e­fo­re less strict than the approach in Euro­pe, which requi­res more exten­si­ve con­sent, but read like the clo­sest pos­si­ble appro­xi­ma­ti­on to Euro­pean coo­kie law and, abo­ve all, the GDPR that is still com­pa­ti­ble with the FADP with a litt­le “legal ima­gi­na­ti­on” (to quo­te the FDPIC). The gui­de­line is not bin­ding, but it shows the FDPIC’s ambi­ti­on to enforce its own view of cor­rect data pro­tec­tion. In prac­ti­ce, the gui­de­lines will pro­ba­b­ly only lead to an increa­se in coo­kie ban­ners, which are alre­a­dy (too) widespread.

Rele­vant legal bases

The gui­de­lines are based on the FADP, but also refer to Art. 45c TCA, the only expli­cit Swiss regu­la­ti­on on cookies.

Art. 45c TCA requi­res for coo­kies, i.e. for the pro­ce­s­sing of data on third-par­ty devices, only a refe­rence to this pro­ce­s­sing and its pur­po­se and that the user can “refu­se” this pro­ce­s­sing. In prac­ti­ce, this is under­s­tood to mean that a rela­tively gene­ral noti­ce is suf­fi­ci­ent to indi­ca­te the pos­si­bi­li­ty of refu­sal (e.g. by refer­ring to the set­ting opti­ons in the brow­ser) and that con­sent is not required.

This rela­tively libe­ral regu­la­ti­on rai­ses the que­sti­on of whe­ther Art. 45c TCA a lex spe­cia­lis which super­se­des the FADP. The FDPIC denies this:

In other words, Art. 45c TCA repres­ents a spe­cial sta­tu­to­ry, public-law norm for other­wi­se unno­ti­ced “tele­com­mu­ni­ca­ti­on” pro­ce­s­ses, which as a norm of the spe­cial data pro­tec­tion law of the Con­fe­de­ra­ti­on cumu­la­ti­ve to the gene­ral data pro­tec­tion law in the DSG must be com­plied with.

This is hard­ly wrong. On the one hand, the FADP remains appli­ca­ble in addi­ti­on to spe­cial sta­tu­to­ry pro­vi­si­ons, and on the other hand, Art. 45c TCA is pro­ba­b­ly not a data pro­tec­tion pro­vi­si­on (even if this is not clear).

Sub­ject

The gui­de­lines app­ly in a tech­no­lo­gy-neu­tral man­ner to coo­kies and other Track­ing tech­no­lo­gies (e.g. fin­ger­prin­ting, pixels). Alt­hough not expli­ci­t­ly men­tio­ned, it should also be used for Apps app­ly. Direct refe­ren­ces to Pro­gram­ma­tic Adver­ti­sing it does not contain.

Set­ting the cour­se I: Con­cept of per­so­nal data

The gui­de­lines can only be applied to per­so­nal data. In the past, the FDPIC has been extre­me­ly strict in this regard – in fact, he has issued a Sin­gu­la­rizati­on more often than iden­ti­fi­ca­ti­on (e.g. in the case of the Cla­ri­fi­ca­ti­on of the facts in the case of Ricardo/TX Group as well as with Digi­tec Gala­xus).

Of which he now moves awayand this has signi­fi­can­ce far bey­ond the gui­de­lines. Howe­ver, it is an open que­sti­on in the doc­tri­ne whe­ther sin­gu­la­rizati­on can suf­fice. The gui­de cites three opi­ni­ons for this state­ment: That of David Rosen­thalaccor­ding to which sin­gu­la­rizati­on is not suf­fi­ci­ent; tho­se of Phil­ipp Glasswhich, as far as can be seen, only intends to app­ly sin­gu­la­rizati­on as an indi­ca­ti­on of per­so­nal refe­rence – and that of the Austri­an data pro­tec­tion authority.

Rather, it is based on the Logi­step judgment still one of the lea­ding judgments on this issue (along­side the judgment of the HGer ZH, HG190107‑O, dated May 4, 2021). Iden­ti­fi­ca­ti­on the­r­e­fo­re pre­sup­po­ses that iden­ti­fi­ca­ti­on is pos­si­ble, that a body with access to the data can car­ry out the iden­ti­fi­ca­ti­on wit­hout too much effort. Expen­dit­u­re and that it has to mana­ge a Inte­rest to take on this effort.

The FDPIC agrees with this. A coo­kie or the infor­ma­ti­on asso­cia­ted with it is per­so­nal “at the latest” when the ope­ra­tor of the web­site or an inte­gra­ted third par­ty can link data to a spe­ci­fic per­son on the basis of a log­in or “com­pa­ra­ble online iden­ti­fiers”. This is cer­tain­ly not to be con­tra­dic­ted. Howe­ver, the fol­lo­wing points are interesting:

  • The gui­de reads as if UID or Ad-IDsi.e. iden­ti­fi­ca­ti­on num­bers asso­cia­ted with a mobi­le device, are always per­so­nal (“a per­so­nal refe­rence can exist on the one hand if the pro­ce­s­sed infor­ma­ti­on its­elf has an iden­ti­fy­ing cha­rac­te­ri­stic (e.g. the uni­que user ID for Android or Ad ID for Apple devices)”). This does not app­ly becau­se the que­sti­on is not whe­ther Apple or Goog­le can do anything with this num­ber, but the ope­ra­tor of the website.
  • The FDPIC refers to a nega­ti­ve opi­ni­on of the Fede­ral Supre­me Court in Logi­step: If A dis­c­lo­ses data to B that is only per­so­nal to B, the FADP is not appli­ca­ble. Appli­ca­ble to both A and B. Alt­hough the Fede­ral Supre­me Court said this in Logi­step (pre­su­ma­b­ly becau­se only the sen­der was in Switz­er­land), it is wrong becau­se it con­tra­dicts the rela­ti­ve approach. If the ope­ra­tor of a web­site dis­c­lo­ses data to a third-par­ty pro­vi­der that is only per­so­nal to the lat­ter, the ope­ra­tor is not cover­ed by the FADP.

Set­ting the cour­se II: Responsibility

In prin­ci­ple, the ope­ra­tor of the web­site will be the data con­trol­ler under data pro­tec­tion law (which may rai­se que­sti­ons in the group con­text; the gui­de­lines do not com­ment on this).

Howe­ver, the ECJ in Fashion ID decis­i­onshared respon­si­bi­li­ty is reco­gnized if the ope­ra­tor gives a third par­ty the oppor­tu­ni­ty, for exam­p­le via a social plug­in, to coll­ect data from visi­tors to the web­site (for this pro­cu­re­ment pro­cessnot the sub­se­quent pro­ce­s­sing). The FDPIC adopts this case law. He even quo­tes the ECJ, but wit­hout asking whe­ther this case law can and should be adopted at all:

The web­site owner, in turn, only enables the third par­ty to obtain data by inte­gra­ting the third-par­ty ser­vice on its web­site (means), even if it has litt­le or no influence on the down­stream data pro­ce­s­sing. It fol­lows that joint or shared respon­si­bi­li­ty must be assu­med for the pro­cess of data coll­ec­tion by the third par­ty (as pro­ce­s­sing within the mea­ning of Art. 5 lit. d FADP) via the website.

It is one thing to hasti­ly resort to the GDPR when it comes to the que­sti­on of joint respon­si­bi­li­ty. The other, howe­ver, is the que­sti­on of what con­se­quen­ces this has. Unli­ke Art. 26 GDPR, the DPA does not requi­re a con­tract bet­ween the joint con­trol­lers. But:

Sin­ce the web­site ope­ra­tor has con­trol over which third-par­ty ser­vices are inte­gra­ted, it can­not assu­me that its Respon­si­bi­li­ty ends whe­re the terms of use of third par­ties app­ly.

This con­tra­dicts the deli­mi­ta­ti­on of the area of joint respon­si­bi­li­ty, which is limi­t­ed to the pro­cess of third-par­ty pro­cu­re­ment or dis­clo­sure to the third par­ty and does not include the sub­se­quent pro­ce­s­sing. But:

[The ope­ra­tor] is respon­si­ble for ensu­ring that the web­site com­plies with data pro­tec­tion regu­la­ti­ons. It must the­r­e­fo­re inform its­elf about the data pro­ce­s­sing of the inte­gra­ted third-par­ty ser­vices and ensu­re that the requi­re­ments of the law are com­plied with. In par­ti­cu­lar, the web­site ope­ra­tor must ensu­re that all infor­ma­ti­on obli­ga­ti­ons towards the web­site visi­tors con­cer­ned are fulfilled.

The ope­ra­tor should the­r­e­fo­re appar­ent­ly bear over­all respon­si­bi­li­ty for “the web­site” and the­r­e­fo­re have to requi­re the (usual­ly for­eign) third par­ty to also com­ply with the FADP. The­re is no basis for this, espe­ci­al­ly out­side the nar­row scope of any joint responsibility.

Set­ting the cour­se III: Proportionality

The gui­de­line essen­ti­al­ly con­ta­ins a data pro­tec­tion check, i.e. it fol­lows the usu­al check pat­tern of infor­ma­ti­on – pro­ce­s­sing prin­ci­ples – justification.

At the Pro­por­tio­na­li­ty the FDPIC main­ta­ins his fre­quent­ly expres­sed opi­ni­on that pro­por­tio­na­li­ty is not mea­su­red by the pur­po­se free­ly cho­sen by the con­trol­ler, but by an abstract pur­po­se and the­r­e­fo­re deter­mi­ned by the FDPIC. If pro­ce­s­sing exce­eds the cor­re­spon­ding frame­work, the FDPIC clas­si­fi­es it as disproportionate.

Accor­din­gly, the use is only Neces­sa­ry coo­kies pro­por­tio­na­te. The FDPIC lists the fol­lo­wing pur­po­ses as examples:

  • Shop­ping cart cookie
  • Tem­po­ra­ry sto­rage of infor­ma­ti­on in an online form
  • Log­in
  • Lan­guage selection
  • Coo­kie opt-in and coo­kie opt-out
  • Load dis­tri­bu­ti­on (“load balancing”)
  • Pre­ven­ti­on of brute force attacks
  • Captchas
  • Pre­ven­ti­on of web­site overload

The use of all other coo­kies, i.e. coo­kies that are not neces­sa­ry in this sen­se, would be disproportionate.

This is wrong, not becau­se this opi­ni­on is incon­ve­ni­ent – which it is – but becau­se it con­tra­dicts the essence of data pro­tec­tion law. Data pro­tec­tion law and the­r­e­fo­re the FDPIC do not deter­mi­ne pur­po­ses. The FAC has cle­ar­ly sta­ted this (in the Hels­a­na ruling, E. 5.4.3):

Moreo­ver, from a syste­ma­tic point of view, the Data Pro­tec­tion Act does not in prin­ci­ple spe­ci­fy the pur­po­ses for which per­so­nal data may or may not be processed.

With this stance, the FDPIC is arro­ga­ting to its­elf the powers of the eco­no­mic poli­ce. Dog­ma­ti­cal­ly, this view could only be saved by exami­ning pro­por­tio­na­li­ty in the nar­rower sen­se, i.e. rea­son­ab­leness (wher­eby one would have to ask whe­ther this applies in the pri­va­te sec­tor). The use of coo­kies that are not neces­sa­ry in the sen­se of the FDPIC would the­r­e­fo­re sim­ply have to be unre­a­sonable for it to be con­side­red dis­pro­por­tio­na­te. Howe­ver, the­re is not­hing about this in the guidelines.

It is cor­rect that the con­trol­ler is free to deter­mi­ne the pur­po­ses of a web­site its­elf. If the­se pur­po­ses requi­re the use of addi­tio­nal coo­kies, this is per­mis­si­ble and pro­por­tio­na­te. If such coo­kies are not wan­ted, they would have to be pro­hi­bi­ted by spe­cial legislation.

It is also inte­re­st­ing to note that the ope­ra­tor must

ensu­re that the use of coo­kies is limi­t­ed to the mini­mum neces­sa­ry for the inten­ded pur­po­se by means of appro­pria­te but­tons with sui­ta­ble default set­tings in accordance with Art. 7 para. 3 FADP.

That is not the case. “Pri­va­cy by Default” never requi­res that but­tons be pro­vi­ded. Only if the con­trol­ler designs pro­ce­s­sing ope­ra­ti­ons as optio­nal vari­ants and also gives the data sub­ject the oppor­tu­ni­ty to choo­se from the­se vari­ants, must he choo­se the spa­ring default set­ting (and only if it is effec­tively a mat­ter of a choice and not mere­ly the exer­cise of the right to object, which exists any­way; becau­se the lat­ter always exists – app­ly­ing pri­va­cy by design to cases of objec­tion would ulti­m­ate­ly mean requi­ring con­sent for all non-man­da­to­ry pro­ce­s­sing operations).

Con­se­quence: Need for justification

Becau­se the FDPIC clas­si­fi­es the use of coo­kies that are not neces­sa­ry in his view as dis­pro­por­tio­na­te, this requi­res justi­fi­ca­ti­on (Art. 30 FADP). As the law is unli­kely to be a justi­fi­ca­ti­on in the vast majo­ri­ty of cases, the over­ri­ding inte­rest and con­sent come into que­sti­on (Art. 31 para. 1 FADP).

Opti­on 1: Prin­ci­ple – over­ri­ding interests

Whe­ther the afo­re­men­tio­ned use is justi­fi­ed by over­ri­ding inte­rests is a que­sti­on of Case-by-case exami­na­ti­on. Howe­ver, the gui­de must take a more sche­ma­tic approach to this examination:

Right of objec­tion (Out-Out)

First of all always to grant a right of with­dra­wal. For the FDPIC, this fol­lows not only from the fact that other­wi­se no over­ri­ding inte­rest could app­ly – the gui­de­lines are cle­ar­ly of this opi­ni­on – but also from Art. 45c TCA. This right to object must obvious­ly be tech­ni­cal­ly faci­li­ta­ted.

The fol­lo­wing comm­ents apply:

  • Unli­ke the GDPR, the FADP does not con­tain a requi­re­ment to sim­pli­fy the rights of data sub­jects, inclu­ding the right to object. The­re is no legal basis for the gene­ral requi­re­ment of tech­ni­cal facilitation.
  • If the inte­rests in data pro­ce­s­sing could only pre­vail under this con­di­ti­on, the legis­la­tor could and should have writ­ten it into Art. 31 para. 2 FADP.
  • The right to object is a sta­tu­to­ry right (Art. 30 para. 1 lit. b FADP). Howe­ver, the law is dee­med to be known, as Art. 20 para. 1 lit. b FADP pro­ves. Data sub­jects are the­r­e­fo­re awa­re of the right to object.
  • Art. 45c TCA does not pre­scri­be any tech­ni­cal ope­ra­tio­na­lizati­on of the right to object.
  • The­re is alre­a­dy a tech­ni­cal right of objec­tion: the brow­ser set­tings. Howe­ver, they are not com­pre­hen­si­ve; brow­ser set­tings, for exam­p­le, can do litt­le to pre­vent fin­ger­prin­ting (apart from blocking the exe­cu­ti­on of scripts that cau­se fin­ger­prin­ting and auxi­lia­ry mea­su­res such as dele­ting coo­kies, using a VPN, etc.).

The FDPIC could the­r­e­fo­re actual­ly only demand a tech­ni­cal imple­men­ta­ti­on of the right to object on the basis of good faith and then only in indi­vi­du­al cases.

Cases of over­ri­ding interest

When the inte­rests in the use of coo­kies pre­vail is, as men­tio­ned, a que­sti­on of the indi­vi­du­al case. Howe­ver, Art. 31 para. 2 FADP pro­vi­des for cases that indi­ca­te such an over­ri­ding inte­rest. The FDPIC addres­ses two cases here:

  • Con­nec­tion with a con­tractOne exam­p­le is the some­what cryp­tic case of an online store coo­kie “ser­ving com­mo­di­ties such as home deli­veries based on address data” (?).
  • Sta­tis­ticsHere, the FDPIC rei­te­ra­tes the requi­re­ments of Art. 31 para. 2 lit. e FADP (ear­ly anony­mizati­on, no dis­clo­sure of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data, no publi­ca­ti­on of per­so­nal data). Examp­les include sta­tis­tics on the use of the website.

Vari­ant 2: Con­sent (excep­ti­on in three constellations)

Requi­re­ment

In three con­stel­la­ti­ons, the inte­rests in the use of non-essen­ti­al coo­kies can­not out­weigh the inte­rests of the FDPIC, not even with the right to object:

  • Unex­pec­ted coo­kiesIf the pur­po­se of the coo­kie is in a “obvious con­trast to the pur­po­ses of per­so­nal data pro­ce­s­sing. Main pro­ce­s­sing” stand. Examples: 
    • the use of “coo­kies for the lin­king and mar­ke­ting of address and tele­pho­ne data” (?) “for the web­site-sup­port­ed pro­vi­si­on of cha­ri­ta­ble or fri­end­ly ser­vices or for cer­tain online games”;
    • Coo­kies with com­mer­cial pur­po­ses on web­sites with sen­si­ti­ve con­tent of a poli­ti­cal, trade uni­on or reli­gious natu­re. Why an opt-out right on the web­site of the Green Par­ty, for exam­p­le, is not suf­fi­ci­ent, howe­ver, remains an open que­sti­on, as does the que­sti­on of whe­ther fund­rai­sing by an NGO con­sti­tu­tes a com­mer­cial purpose.
  • High inter­ven­ti­on inten­si­ty: If via the coo­kie per­so­nal data requi­ring spe­cial pro­tec­tion edi­ted or a Pro­fil­ing with high risk and/or cor­re­spon­ding data is pas­sed on. (This also applies if such ope­ra­ti­ons are “expec­ted on the basis of gene­ral public opinion”).

Requi­re­ments for effec­ti­ve coo­kie consent

The fol­lo­wing requi­re­ments for effec­ti­ve con­sent can be found in the guidelines:

  • Expres­si­ve­ness:
    • This is only requi­red for par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data, for high-risk pro­fil­ing and – in the case of fede­ral bodies (inclu­ding health insu­rance funds or pen­si­on funds in the man­da­to­ry pro­vi­si­ons) – for any pro­fil­ing with coo­kies. For exam­p­le, it is suf­fi­ci­ent to tick a clear checkbox.
    • If no expres­si­ve­ness is requi­red, the check­box may also be ticked (but must then be con­firm­ed, other­wi­se the­re is no acti­ve action – e.g. by clicking away the cor­re­spon­ding banner).
  • Infor­ma­ti­on:
    • Infor­ma­ti­on should be pro­vi­ded on what pro­ce­s­sing is to take place and for what pur­po­ses, and pos­si­bly also on the risks for the data sub­jects if they con­sent (in the case of increa­sed risks). The gui­de­lines do not con­tain any spe­ci­fics in this regard.
    • If child­ren are among the addres­sees of the web­site, the decla­ra­ti­on of con­sent must also be writ­ten in simp­le and (for them) unam­bi­guous language.
  • Deter­mi­na­ti­on:
    • The object of the con­sent must be suf­fi­ci­ent­ly clear. For exam­p­le, “mar­ke­ting pur­po­ses” is not clear enough.
    • Howe­ver, it is not clear why the per­son con­cer­ned can­not make much sen­se of this. In any case, anyo­ne who does not under­stand such an expres­si­on will cer­tain­ly not con­sent, which is why a broad for­mu­la­ti­on does not harm con­sent, but at most the con­sent rate.
  • Vol­un­t­a­ri­ness: This was lack­ing in two cases: 
    • when using “Dark Pat­terns”, but also with a “Nud­ging”. The lat­ter goes too far – anyo­ne who sees a green OK but­ton and a gray “Reject” but­ton is right­ly annoy­ed, but this hard­ly makes con­sent invol­un­t­a­ry (if it did, clicking on it could then no lon­ger be con­side­red a decla­ra­ti­on of con­sent at all, but such a con­clu­si­on would pro­ba­b­ly con­tra­dict reality).
    • Cou­plingCon­sent is also invol­un­t­a­ry if it is a con­di­ti­on for access to the web­site or the ser­vice pro­vi­ded through it, if the wai­ver is unre­a­sonable. This is the case, for exam­p­le, with a “domi­nant online retail­er”, an “online job por­tal” or a “social net­work”. The use of such web­sites must the­r­e­fo­re also be pos­si­ble wit­hout coo­kies that requi­re con­sent, i.e. if they are unex­pec­ted, use par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or lead to high-risk pro­fil­ing (all other non-essen­ti­al coo­kies can be justi­fi­ed by over­ri­ding inte­rests, which is why the que­sti­on does not arise).
  • Revo­ca­bi­li­tyCon­sent is revo­ca­ble by law. Nevert­hel­ess, the ope­ra­tor must have a “Offer a simp­le opti­on” to exer­cise the right of with­dra­wal. This is also ulti­m­ate­ly an import from the GDPR.

Per­so­na­li­zed advertising

The gui­de­lines devo­te a sepa­ra­te chap­ter to this topic (point 3.11). In sub­stance, howe­ver, it amounts to the same as the more gene­ral information:

  • Nor­mal pro­fil­ing: Here, at least the right to object must be gran­ted, which means that an over­ri­ding inte­rest can be used here (excep­ti­on: fede­ral bodies).
  • Pro­fil­ing with high riskExpli­cit con­sent is requi­red here. High-risk pro­fil­ing occurs when pro­fil­ing leads to a per­so­na­li­ty pro­fi­le. Indi­ca­ti­ons of this for the FDPIC are the par­ti­ci­pa­ti­on of actors in dif­fe­rent sec­tors, the con­side­ra­ti­on of per­so­nal data over a lon­ger peri­od of time and the inclu­si­on of public data and data from third-par­ty providers.

Infor­ma­ti­on requirements

The gui­de­line con­ta­ins infor­ma­ti­on obli­ga­ti­ons in various places:

  • First level pri­va­cy poli­cy:
    • First of all, in the case of coo­kies – even if neces­sa­ry, but only inso­far as per­so­nal data is pro­ce­s­sed – in accordance with Art. 19 et seq. DSG must be infor­med. This infor­ma­ti­on must be pro­vi­ded “appro­pria­te­ly”. It is the­r­e­fo­re not suf­fi­ci­ent to place this infor­ma­ti­on on any sec­tion of the web­site. The FDPIC is cal­ling for an easy-to-find Link e.g. in the foo­ter, which also cor­re­sponds to practice.
    • The pri­va­cy poli­cy must always the laye­red approach The most important infor­ma­ti­on should be pro­vi­ded first, fol­lo­wed by fur­ther details if requi­red. Again, the­re is no basis for an abso­lu­te requi­re­ment for such a pro­ce­du­re (apart from the fact that a table of con­tents could suffice).
    • And who is the infor­ma­ti­on for? The gui­de­lines are not com­pre­hen­si­ble here:

      A pri­va­cy poli­cy that is draf­ted accor­ding to this approach allo­ws, for exam­p­le, the per­sons con­cer­ned to obtain all essen­ti­al infor­ma­ti­on in sum­ma­ri­zed form at a glan­ce, and Spe­cia­lists, Inve­sti­ga­ti­ve jour­na­lists and Super­vi­sors with more exten­si­ve infor­ma­ti­on requi­re­ments to obtain detail­ed legal and infor­ma­ti­on tech­no­lo­gy infor­ma­ti­on by cal­ling up a fur­ther level”.

      Appar­ent­ly, data pro­tec­tion decla­ra­ti­ons are not only drawn up for data sub­jects, but also for the FDPIC and even for Adri­en­ne Fich­ter and other inve­sti­ga­ti­ve journalists.

  • Second level coo­kie ban­ner:
    • A coo­kie ban­ner and more pre­cis­e­ly a Con­sent Manage­ment Plat­form (CMP) is only requi­red by the gui­de­lines, but always in the case of non-essen­ti­al coo­kies, becau­se here the con­trol­ler “must Right of objec­tion against the use of non-essen­ti­al coo­kies on the web­site in a pro­mi­nent place” (the gui­de­lines do not spe­ci­fy whe­ther this is the case for every visit). In addi­ti­on, the “degree of con­spi­cuous­ness” must cor­re­spond to the “unusu­al natu­re of the coo­kie use in question”.
    • Inso­far as con­sent is requi­red (see abo­ve), the data subject’s Right of with­dra­wal be clear, and it must then also be “with par­ti­cu­lar cla­ri­ty” and “in a pro­mi­nent posi­ti­on”, and here on every visit.
    • Coo­kies may at the begin­ning of the visit unless, of cour­se, they are based on consent.
    • If the con­trol­ler works with a right of objec­tion (opt-out) for cer­tain coo­kies and with con­sent (opt-in) for others, the data sub­ject must be able to cle­ar­ly reco­gnize which applies to which cookies.