Are you wondering why and how detailed you need to specify the purpose of data processing in a service in Real Cookie Banner? In this article, we will explain why you need to specify the purpose of data processing for each service you use on your website and how exactly you should describe this purpose so that you comply with the GDPR and your website visitors get the necessary information. What a service is and how to find it on your website, we have explained in another article.
Why do you need to specify a purpose for services?
With Real Cookie Banner, we enable you to meet the requirements of the GDPR as a website operator, and to ensure the privacy of your visitors. As a website operator, you are the so-called responsible party from a data protection perspective, which is why the GDPR imposes various obligations on you. As the data controller, you must take appropriate measures in accordance with Article 12 GDPR to provide the data subjects with all information relating to the processing in a precise, transparent, comprehensible and easily accessible form in clear and simple language. This information that you must provide to data subjects is described in great detail in Article 13 GDPR, and among them are the purposes for which this personal data is processed, as described in this article.
So now you know that you need to specify the purposes of the data processing so that visitors to your website get all the information they need about the data processing. But what exactly do you need to specify as the purpose?
What is a purpose and its benefit?
The GDPR defines purpose as one of the core principles for processing personal data. The purpose refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by the controller, i.e. you. If you have included a contact form on your website, for example, so that visitors to your website can write to you easily, then you must clearly describe the type of communication for which this contact form is intended and why the data processing in the contact form is necessary. A detailed example of this follows in the next section.
Personal data may only be collected and processed for specific, explicit and legitimate purposes. If the data is to be used for a purpose other than the one originally stated, the data subject must be informed and give his/her consent. This means that if you extend the purpose of a service, you must obtain a new consent in the cookie banner. The data subject also has the right to know the purpose of the data processing and to verify that the processing is in accordance with that purpose. We are therefore always bound by the purposes we have defined and must describe these purposes clearly. Compliance with this so-called purpose limitation principle is an important part of the GDPR and helps to protect the privacy and rights of data subjects.
The purpose refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by you as the controller so that you can comply with the purpose limitation principle of the GDPR. In practice, you should describe the purpose as precisely as possible so that data subjects can understand what their data is being used for.
What questions must the purpose answer?
The purpose therefore refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by you as the controller so that you can comply with the purpose limitation principle of the GDPR. In practice, you should describe the purpose as precisely as possible so that data subjects can understand what their data is being used for. To do this, you should answer the following questions:
- What is the function of the service you are using?
- Why are you using this service, and what does this service do better than others, which is why you have chosen to use it?
- What personal data is processed, and what happens to it?
- Does this personal data need to be processed to use this service?
- Who gets access to this data?
- Does this service set cookies, and if so, what functions can these cookies have?
- Can the personal data collected be linked to other data?
- What is the purpose of this linkage with other data?
These questions should give you a sense of what information may be of interest to visitors to your website. It is seldom possible to answer all these questions 100%, as some information is not publicly available, e.g. through the service operator. You can ask the provider of the service to answer your questions. However, you will often have a hard time getting a meaningful answer here.
Of course, this list of questions is not exhaustive, and you should always check yourself whether the information provided is sufficient for your website visitors. But how can the questions be answered in practice?
Specifying the purpose with an example
The information in your Real Cookie banner should therefore be transparent and easy to understand about what personal data is collected, who else gets access to the data, and whether the data can be linked to other data.
Let’s take a look at this as an example by embedding a YouTube video to understand what this means in practice:
If you want to load a YouTube video on your website, the IP address of the visitor must inevitably be transmitted to YouTube or Google so that the video player and later, if necessary, the video can be loaded. Even if Google states in its privacy policy that the IP address is not stored and evaluated for marketing purposes, the IP address must usually be processed in the web server, logs, etc. on Google servers. The scripts of YouTube and Google can set and partly also read out various cookies that were set, for example, when the user was previously logged in to youtube.com. Why you need consent for setting and reading non-essential cookies, we have explained in detail in a separate article.
So, stating the purpose for our example could be as follows, if we answer all relevant questions from the previous section:
“YouTube enables the direct embedding of content published on youtube.com into websites to enhance the internet presence with videos. To use this service, this requires processing the user’s IP address and setting cookies for technical reasons. The cookies can be used to collect visited websites and detailed statistics about user behavior and they are used to improve the services of Google. This data may be linked by Google to the data of users logged in on youtube.com and google.com.”
Consequences of misstating the purposes
If the purposes of the data processing are not clearly and unambiguously described, this may lead to violations of the GDPR and could result in sanctions from a supervisory authority (such as fines) or claims for damages from data subjects. A statement such as the sentence “We use cookies to provide you with a better user experience” is definitely not sufficient as a purpose description. That is why Real Cookie Banner offers you numerous service templates in which the possible purposes are already described in pre-formulated purposes. However, we still recommend that you regularly review and update the purpose of the data processing for your specific case.
When processing particularly sensitive personal data, it may also be necessary for you to conduct a data protection impact assessment (DPIA) pursuant to Article 35 GDPR if this is likely to result in a high risk to the rights and freedoms of natural persons. It is important that, in addition to the accurate information in the cookie banner, the privacy policy on the website is easily accessible and clearly stated so that data subjects understand what data is being collected and for what purpose.
You also have the option at Real Cookie Banner to describe in detail the purposes of each cookie or cookie-like data. The ePrivacy Directive requires that a non-professional user understands the purpose of this service and how personal data is collected and how cookies are used for this purpose.