The Andorran APDA specifies that the Guidelines are not intended to provide a one-size-fits-all solution for all businesses but rather offer tools that businesses may rely on to ensure legal compliance depending upon their particular interests and business model.
It is important to note that Andorran companies, in addition to Law 29/2021, may also be subject to the European Union’s General Data Protection Regulation in the following scenarios, and thus should develop compliance with its provisions:
- They offer goods and services in the EU;
- They have a branch in an EU country; or
- They monitor the activity of EU residents.
- User’s consent must always be obtained prior to the activation of non-essential cookies. Consent should be free, informed, specific, unequivocal, and captured by a clear affirmative statement or action by the data subject.
- Organizations are recommended to maintain consent records, including the status of a user’s consent (i.e., whether they have accepted or rejected all cookies or customized them) and the date and time for the provision of consent.
- Users should be informed of the existence of technical or strictly necessary cookies and their purposes.
- Consent should be given voluntarily, without any element of pressure or undue influence. If a website offers an incentive to users for giving consent, such consent is valid, provided the lack of consent by a user does not negatively affect the quality of service received by them.
- Users must be provided with the following minimum information before their consent is collected:
- official name of the company;
- details of the registered office;
- registration information of the company or details of the parent act in case of a public entity;
- contact address(es); and
- identity of the data protection officer, if any, and their contact details;
- The personal data to be collected;
- The processing purposes;
- The cookie retention period;
- The process of accepting or rejecting cookies and the consequences for said actions;
- The existence of the right to withdraw consent at any time and the mechanism of doing so; and
- The potential recipients of the data collected.
- Users have the right to know the identity of the entity in charge of collecting and processing of their data.
- Consent should be obtained through an express affirmative action, such as clicking on “I consent,” “I accept,” or similar buttons. Users should be aware that they are giving consent to the processing of their data through a particular action. Mere inactivity, such as a user continuing to browse a website, does not imply consent.
- Options allowing global acceptance or rejection of cookies are valid so long as the option to customize cookies is equally visible and accessible in order to enable the data subject to opt-in and opt-out of specific cookie categories.
- The data subject should be able to withdraw consent as easily and in the same manner as consent is granted. Users should be able to withdraw consent without suffering any adverse consequences. Users should also be informed that the withdrawal of consent will not affect the legality of any prior data processing based on their consent and that the data controller may continue to process their data based on any other lawful processing grounds if applicable.
- If cookies from third parties are used for the provision of a service requested by the user, the service provision contract should establish expressly that the service providers shall not process the data for any purpose other than to provide the requisite service. Otherwise, it would be necessary to inform the users of the other purposes and obtain their consent.
- If third-party cookies are used for purposes that require the user’s consent:
- The publisher of the website should ensure that the users receive the necessary information about the cookies, and the mechanisms for providing and revoking consent are enabled; and
- The relevant third party should ensure that the information provided to the users is not outdated and is offered in the language of the website.
The foregoing respective obligations, along with the consequences of the revocation of consent for the publisher and the third party, should be enumerated in a contract entered into between the two entities.
- Requisite information relating to the data controller;
- Description and purposes of the cookies being used;
- Specification of the personal data collected through the cookies, provided if no personal data is collected through cookies, the same should be highlighted;
- Purposes of data processing;
- Types of cookies being used, accompanied by their brief description on the first information layer of the cookie banner - the second information layer must explain the cookie purposes in detail;
- Expiry period of the cookies;
- Mechanism of revoking consent - guidance should also be provided to users on how to delete the cookies stored in their operating systems and how to disable consent in different browsers; and
How Securiti can Help
Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:
- The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime;
- The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific;
The ability to design equally prominent accept and reject fields on the cookie consent banner;
- Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations; and
- Updated and comprehensive consent records.
Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.