Are you wondering why and how detailed you need to specify the purpose of data processing in a service in Real Cookie Banner? In this article, we will explain why you need to specify the purpose of data processing for each service you use on your website and how exactly you should describe this purpose so that you comply with the GDPR and your website visitors get the necessary information. What a service is and how to find it on your website, we have explained in another article.
Why do you need to specify a purpose for services?
With Real Cookie Banner, we enable you to meet the requirements of the GDPR as a website operator, and to ensure the privacy of your visitors. As a website operator, you are the so-called responsible party from a data protection perspective, which is why the GDPR imposes various obligations on you. As the data controller, you must take appropriate measures in accordance with Article 12 GDPR to provide the data subjects with all information relating to the processing in a precise, transparent, comprehensible and easily accessible form in clear and simple language. This information that you must provide to data subjects is described in great detail in Article 13 GDPR, and among them are the purposes for which this personal data is processed, as described in this article.
So now you know that you need to specify the purposes of the data processing so that visitors to your website get all the information they need about the data processing. But what exactly do you need to specify as the purpose?
What is a purpose and its benefit?
The GDPR defines purpose as one of the core principles for processing personal data. The purpose refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by the controller, i.e. you. If you have included a contact form on your website, for example, so that visitors to your website can write to you easily, then you must clearly describe the type of communication for which this contact form is intended and why the data processing in the contact form is necessary. A detailed example of this follows in the next section.
Personal data may only be collected and processed for specific, explicit and legitimate purposes. If the data is to be used for a purpose other than the one originally stated, the data subject must be informed and give his/her consent. This means that if you extend the purpose of a service, you must obtain a new consent in the cookie banner. The data subject also has the right to know the purpose of the data processing and to verify that the processing is in accordance with that purpose. We are therefore always bound by the purposes we have defined and must describe these purposes clearly. Compliance with this so-called purpose limitation principle is an important part of the GDPR and helps to protect the privacy and rights of data subjects.
The purpose refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by you as the controller so that you can comply with the purpose limitation principle of the GDPR. In practice, you should describe the purpose as precisely as possible so that data subjects can understand what their data is being used for.
What questions must the purpose answer?
The purpose therefore refers to the specific reason why personal data is collected, stored, used or otherwise processed. This purpose must be clearly defined and named by you as the controller so that you can comply with the purpose limitation principle of the GDPR. In practice, you should describe the purpose as precisely as possible so that data subjects can understand what their data is being used for. To do this, you should answer the following questions:
- What is the function of the service you are using?
- Why are you using this service, and what does this service do better than others, which is why you have chosen to use it?
- What personal data is processed, and what happens to it?
- Does this personal data need to be processed to use this service?
- Who gets access to this data?
- Does this service set cookies, and if so, what functions can these cookies have?
- Can the personal data collected be linked to other data?
- What is the purpose of this linkage with other data?
These questions should give you a sense of what information may be of interest to visitors to your website. It is seldom possible to answer all these questions 100%, as some information is not publicly available, e.g. through the service operator. You can ask the provider of the service to answer your questions. However, you will often have a hard time getting a meaningful answer here.
Of course, this list of questions is not exhaustive, and you should always check yourself whether the information provided is sufficient for your website visitors. But how can the questions be answered in practice?
Specifying the purpose with an example
The information in your Real Cookie banner should therefore be transparent and easy to understand about what personal data is collected, who else gets access to the data, and whether the data can be linked to other data.
Let’s take a look at this as an example by embedding a YouTube video to understand what this means in practice:
So, stating the purpose for our example could be as follows, if we answer all relevant questions from the previous section:
“YouTube enables the direct embedding of content published on youtube.com into websites to enhance the internet presence with videos. To use this service, this requires processing the user’s IP address and setting cookies for technical reasons. The cookies can be used to collect visited websites and detailed statistics about user behavior and they are used to improve the services of Google. This data may be linked by Google to the data of users logged in on youtube.com and google.com.”
Consequences of misstating the purposes
You also have the option at Real Cookie Banner to describe in detail the purposes of each cookie or cookie-like data. The ePrivacy Directive requires that a non-professional user understands the purpose of this service and how personal data is collected and how cookies are used for this purpose.