Our remarks • For the placement of cookies to be lawful, user or end user (such as cookies allowing the storage consent must be obtained prior to the placement of items in an online shopping cart or ensuring the of cookies. Consent may only be considered valid security of a banking application). if the conditions set out in the GDPR are met. This All other cookie placements or installations of other includes the requirement that the data subject tracking measures require the prior consent of the data provides consent in the form of a freely given, subject. specific, informed, and unambiguous indication of • When providing data subjects with information their wishes to agree to the processing of personal regarding cookies, as required by GDPR, Articles 12, data, as outlined in GDPR, Article 4(11). 13 and 14, be sure to include: • The owner of a website is responsible for the processing of cookies installed or read by its ° A complete list of the different types or categories of website. This responsibility may not be waived by cookies placed on the users’ devices. publishing a disclaimer on the website in question. ° Sufficient information on the criteria for determining • The case clarified that the use of statistical cookies the lifespan of the cookies placed on user’s devices does indeed constitute a processing of personal and the duration of retention of the data collected. data under GDPR in conjunction with the Belgian ° Information on the processing carried out by external implementation of the ePrivacy Directive. Therefore, partners and vendors. prior user consent is required when placing Note that all information must be provided in a statistical cookies with available IP addresses. transparent, understandable, and easily accessible • To observe the principle of storage limitation, manner. note that the lifespan of cookies must be directly • Withdrawing consent to the placement of cookies linked to the purpose for which it is used and must be as easy as it is to provide in the first must be configured to expire as soon as it is no place. The cookie management tools used on a longer necessary, considering the reasonable website must provide an effective mechanism for expectations of the data subject. withdrawing consent, after which the number of • Article 129 of the Belgian Electronic cookies placed should decrease. Communications Act contains two exceptions • Data protection authorities must obey procedural regarding user consent and cookie placement. rules. Even though their assessment of the As a main rule, the consent of data subjects must processing in question is correct, the case or be obtained prior to the placement of cookies on decision can be invalidated if procedural rules are their devices. This, however, is not required in the not followed. following two situations: • As the invalidation only happened due to the ° When the cookie is only intended to carry out the missing justification in the referral, the DPA’s transmission of a communication over an electronic assessment of the cookie solution is still relevant to communications network, or other data controllers as a takeaway. ° When the cookie is strictly necessary for the provision of a service explicitly requested by the subscriber 82