The law does not specify who is responsible for fulfilling the obligation to provide the relevant information and obtain consent.
Different factors should be taken into account when considering who is responsible for complying with the legal obligations.
In the event that third party cookies are used to provide the service requested by the user, a contract must be established with those entities that will not process the data for any other purpose than to provide that service, otherwise they will have to inform and obtain consent.
When third-party cookies are used, both the publisher and the third party whose cookies are installed are responsible for ensuring that users are clearly informed of the purposes and the obligation to obtain consent.
Third-party cookies are stored on the recipient’s device, because in one way or another the publisher allows this. Normally this will be done when the publisher designs the website, at which time it will provide a space for third parties to add content.
The browser transmits to the server of the external provider the IP address of the visitor’s computer as well as the technical data of the browser. With this data the server can determine in which format to supply the information.
The administrator of an Internet site that offers external content by inserting it on the site is not able to determine what data the browser transmits or what the external provider does with this data, in particular if it decides to store and analyse it.
For this reason, when the publisher is not the owner of the cookies it uses, it must ensure that the interested parties receive the necessary information and that the mechanisms that allow their consent are enabled.
This responsibility translates, for example, when the information on cookies is offered by third parties through a link to the third party’s website, the publisher must ensure that the links are not broken.
The content of the information as well as its format (language) shall be the responsibility of the third party. In order to ensure that the third party complies with the legal obligations regarding cookies and data protection, the contract between the responsible party and the third party must include one or more clauses that guarantee that sufficient information is given to the users, the way in which acceptance and revocation are to be carried out, as well as the consequences of these.
To the extent that a natural or legal person determines the purposes or means of the processing, he or she will be responsible for the personal information collected by that person and for the processing carried out on that data.
The publishers, agencies, advertising networks or any other agents involved in determining the purposes and/or means of processing must not lose sight of this. This will in many cases give rise to co-responsibility.
Those agents who limit their actions to following the instructions of the controller shall be considered as processors.
The responsibility of the processor will be shaped (contractually) by the specific processing he or she carries out. It should always be borne in mind that when an agent determines the purposes and means of processing personal data, he or she will be considered co-responsible for the processing and must comply with the requirements of Article 26 of the Data Protection Act.
It should be mentioned that co-responsibility does not mean equivalent responsibility among the different entities that determine the purposes and means. The responsibility of each entity will vary depending on the degree of involvement it shows with respect to the processing. It is not possible to determine the responsibility of the participants in a generic way or at first sight. Rather, it will be necessary to examine, on a case-by-case basis, the extent to which the co-responsible parties will have to respond.
In this respect, the scope of the obligations to inform and obtain consent from the publisher with regard to third party cookies is limited to the processing for which it is responsible, insofar as it effectively determines the purposes and means of such processing. Its responsibility shall not, however, extend to subsequent stages of processing, which shall be the sole responsibility of the third party.
The most relevant case in law is the “Fashion ID and Facebook external links” case. In this case, the Court of Justice of the European Union established the concept of co-responsibility on the part of those responsible for processing personal data.
Due to its importance we reproduce an extract (own) of the resolution in interesting cases.