Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

Data Protection & Cyber Security

Russia Small Flag Russia

Russian data protection laws do not directly address the issues of profiling and monitoring, including the use of tracking technologies such cookies.

Roskomnadzor and courts stick to quite conservative approach considering such activities PII processing subject to the general rules. The only legal ground in such case will be individual’s explicit opt-in consent (e.g., by way of placing a tick-box form, banner, or pop-up window requesting the individual’s consent on home page of the website).

Use of purely technical cookies (i.e. ones, which are strictly necessary for functioning of the website, unlike cookies allowing target advertisement, marketing analytics, etc.) is a grey area in terms of compliance and there is no unified approach regards legal grounds for their use. Many companies stick to risk-oriented approach considering that the consent is not required and it is possible to rely on other legal grounds (such as preserving legitimate interest of the data controller).

Apart from the legal grounds for profiling and monitoring, it is required to describe them as processing activities in the data controller’s Privacy/Confidentiality Policy. For example, a separate Cookies Policy can be drafted and posted on the website or certain sections can be incorporated in the general Privacy Policy. Such Policy shall be available in Russian (or in bilingual format).

Argentina Small Flag Argentina

Section 27 of the Data Protection Law provides that personal data may be used to determine consumer profiles for marketing purposes, provided that such data is gathered from sources accessible to the public or the data subject voluntarily provided the information or consented to its use.

However, Decree No. 1158/01 allows for the collection, processing and assignment of personal data for marketing purposes without the consent of the data subject as long as the data subject is identified only by their belonging to groups based on their preferences or behavior and the personal data is limited to that which the marketer needs to make an offer.

Moreover, Rule No. 4/2009 of the Data Protection Authority requires the following:

  • Data subjects must be able to opt-out of this type of communication, and be expressly and clearly informed of their right to do so.
  • The communication must contain a clear and visible notice to the effect that it is an advertisement, and a transcription of provisions of the Data Protection Law and Decree No. 115/01. In the case of an email its heading must contain the term “Advertisement” (in Spanish, “Publicidad”).
  • The owner of the database must have a mechanism in place that allows for the exercise of the data subject’s right to opt out.

Brazil Small Flag Brazil

There is no definition or specific regulation for tracking technologies, such as ‘cookies’ in Brazil. However, if the information gathered by tracking technologies is able to identify a natural person, they fall within the scope of data protection laws.

Bulgaria Small Flag Bulgaria

(i) Profiling

As regards profiling, GDPR applies. No additiona national legislation has been adopted.

According to Article 22 GDPR the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Such processing is only allowed if the decision is

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  • is based on the data subject's explicit consent.

(ii) Monitoring

As regards ‘employer whistleblowing systems, restrictions on the use of in-house resources, and access controls’ as well as ‘large-scale processing of personal data or systematic large-scale surveillance of publicly accessible areas’, please refer to Question 4.

(iii) Cookies
Bulgarian local requirements on cookies consent follow the provisions of the Cookie-Directive (Directive 2002/58/EC amended by Directive 2009/136/EC). Bulgaria has implemented the Cookie-Directive in the Electronic Commerce Act (EA). In conjunction to the E-Commerce rule, GDPR provisions are also applicable as far as the use of cookies may constitute processing of personal data.

Pursuant to Article 4a EA the provider of information society services may store information or receive access to information stored in the terminal device of the service recipient (i.e. the user), provided that: 1. the user is provided with clear and exhaustive information in accordance with Article 13 GDPR; and 2. the user is provided with the option to refuse the storage or access to information, meaning to refuse cookies prior to their use by the service provider. The wording of Article 4a slightly differs from the original wording of the Cookies Directive, but introduces an opt-in regime for the use of cookies, meaning that prior user’s consent is required for the lawful use of cookies.

Under Bulgarian law, there are no specific requirements regarding the definition or the form of the ‘consent’ and the consent for the use of cookies should be interpreted by reference to the definition in the GDPR. Consent is not required only for cookies that are necessary for: 1. transmission of communications over the electronic communication network; or 2. provision of an information society service explicitly requested by the user. Thus, for the use of non-essential cookies (e.g., marketing and analytics cookies, etc), a prior consent must be obtained.

Switzerland Small Flag Switzerland

Monitoring or profiling may, but most not necessarily, result in personality profiles (see art. 3 lit. d FADP). As already mentioned, the requirements for the collection and processing of personality profiles are stricter than the ones for “normal” personal data (see Question 6).

More important, art. 45c lit. b of the Federal Act on Telecommunication Services sets out that processing of data on external equipment by means of transmission using telecommunications techniques is permitted only if users are informed about the processing and its purpose and are informed that they may refuse to allow processing. This provision applies to the use of cookies.

Regarding the use of cookies Swiss law requires therefore that users are informed about cookies (usually in the privacy notice on the website) and are also informed that they may refuse data collection and processing by cookies. A consent is not needed.

Spain Small Flag Spain

The ‘Profiling’ that falls within the scope of the GDPR is understood as any form of automated processing of a data subject’s personal data in order to analyze or predict their performance at work, their economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

There are three ways of using profiles in practice: profiling, take decisions based on profiling, and take automated decisions based on profiling. Only when the last case «produces legal effects concerning him or her or similarly significantly affects him or her» the Controller should take into account certain requirements and measures established in article 22 GDPR. In general, the data subject has the right not to be subject to this kind of decisions, except if he or she has given his/her consent and when it is necessary to execute a contract, in which case suitable measures to safeguard the data subject’s rights will be necessary, or when it is authorized by the EU or a Member State law.

Regarding monitoring, there has not been established a specific definition in the GDPR and it is only referred to as a data process in the case of systematic monitoring of a publicly accessible area on a large scale, one of the situations which require an impact assessment on data protection. In this sense, in the Guideline on Data Protection Impact Assessment elaborated by the extinguished Article 29 Working Party, the process “Systematic monitoring” appears as a risk criterion that should be considered when analyzing if a processing operation may result in a high risk, so it will have to be subject to a data protection impact assessment. This expression is defined as a «processing used to observe, monitor or control data subjects, including data collected through networks».

The monitoring that must be taken into account for the purposes of the regulation, therefore, will be the one that implies the processing or collection of personal data in circumstances where data subjects may not be aware of who is collecting their data and how they will be used. For this reason, any processing of data involving the monitoring of an individual must respect the principles and rules of the GDPR.
The use of tracking technologies through information society services, such as cookies, is regulated in Spain by the Law 34/2002 (LSSI), although it is intimately connected to privacy, so the GDPR and the Spanish LOPD have affected their regulation. The LSSI establishes the general obligation to inform and ask for the consent of the user for downloading and installing cookies on their computer. However, cookies that are strictly necessary to enable communication between the equipment and the network, provide a service expressly requested by the user, allow authentication or identification, provide security, play multimedia, load balancing, customize the user interface other similar functions are excluded from these obligations. In all other cases, informing and requesting consent in accordance with the GDPR will be required.

Finally, when profiling and monitoring carried out by the Controller is likely to result in a high risk to the rights and freedoms of the data subjects it will be necessary to carry out an impact assessment on the protection of personal data of the activity, as well as appoint a DPO who will supervise compliance with the obligations on data protection.

Chile Small Flag Chile

There are no laws governing online privacy on the use of tracking technologies such as cookies. In case, cookies gather personal data, they may be deemed as data processing, hence companies that place cookies, will require consent of the data subject. In addition, there is some risk in the use of cookies when is related to the Law No. 19,223 on computer crime that is not allowing unauthorized access to computers and information therein.

See also answer to question 23 regarding Net Neutrality Law No. 20,453.

Germany Small Flag Germany

Profiling is legally defined in Art. 4(4) GDPR and described as any form of automated processing of personal data to evaluate certain aspects relating to a natural person. Except for the general requirements of Art. 6 GDPR, profiling has further requirements according to Art. 22 GDPR, if the automated processing has legal effects (or similarly significantly affects) on the data subject. In this case the profiling is forbidden, if not one of the exceptions in Art. 22(2) GDPR applies.

Therefore, a contract between the data subject and a data controller, or a law authorized by the European Union or a member state is necessary, or the processing needs to be based on the explicit consent of the data subject. In the first and last case the data controller must implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests according to Art. 22(3) GDPR.

For decisions based on the processing of special categories of personal data a simple contract does not suffice. In this case the processing is only lawful on the basis of the data subject’s consent or if there is a legal requirement in European or member state law.

The data subject has the right to object to the profiling under the requirements of Art. 22 GDPR. One typical application is the scoring of data subjects as practiced by providers of financial services. Regulations concerning scoring can also be found in § 31 FDPA, which requires different premises, such as the provisions of data protection law, calculations on the basis of a scientifically recognized mathematic-statistical procedure, that other data in addition to address data is used to calculate the probability value and finally, the person affected must be notified of the planned use of these data.

Because tracking technologies are usually using personal data like the user’s IP address, this kind of processing is restricted by the GDPR. Even if the IP address becomes pseudonymized, the user is identifiable. Cookies, which have a pseudonymized ID to track a previous visitor again, gather personal data as well. Therefore, there needs to be a legal basis in Art. 6 GDPR for using tracking technologies.

Whereas statements of different regional supervisory authority imply, that for this purpose, the consent of the person affected must be given, other legal professionals and scholars as well as many private enterprises do propose that other legal grounds are sufficient, depending on the type of tracking technologies. Therefore, not all websites gain consent for tracking technologies at the moment. Still common is the use of a cookie banner with opt-out possibilities.

Probably the most common ground consulted for user tracking is the website provider’s legitimate interests in the procedure (Art. 6(1)(f) GDPR). Such a legitimate interest could be the optimization of the website by analyzing the visitor’s activities on the website.

Even if the website provider has a legitimate interest and you would consider this a sufficient legal ground for the processing, it is nonetheless necessary to pseudonymize the IP address to fulfil the principle of data minimization according to Art. 5(1)(c) GDPR. Furthermore, the visitors must be informed of the data processing taking place according to Art. 13 GDPR. Opt-out possibilities have to be provided.

Overall, the legal basis for the use of tracking is currently very controversial and unclear in Germany. Irrespective of a decision expected by the European Court of Justice in the ´Planet49 case´, clarity will not be achieved until the ePrivacy Regulation has been adopted. The ePrivacy Regulation is intended to clarify and supplement the GDPR with regard to electronic communications as sector-specific data protection law and to make it applicable as a matter of priority in this respect. It is unclear when an implementation can be expected, but a new draft was recently published under the Romanian Council Presidency at the end of February 2019.

India Small Flag India

There is no specific restriction given under the IT Act in respect of use of monitoring / profiling / tracking technologies (such as cookies).

This is typically governed by the conditions of use of websites.

China Small Flag China

Under CSL regime, tracking technologies like cookies are not prohibited, while cookies are usually regarded as personal information and the collection of which shall comply with personal information requirements. Besides, regarding other profiling terms, the PI Specification recommends limited direct user profiling.63 It is “direct user profiling” when the personal information of a specific natural person is directly used to create a unique model of the natural person’s characteristics.64 Personal information controllers engaging in direct profiling activities are required by the PI Specification to disclose the existence and the purposes of the direct profiling.65 Where automated decisions are made based on such profiling and have significant impact on the personal information subject’s rights and interests, personal information controllers should provide means for the personal information subject to lodge a complaint.66

In the E-commerce context, when displaying search results of commodities or services to consumers according to their interests, preferences, consumption habits and other personal characteristics, an e-commerce operator shall also provide consumers with options irrelevant to their personal characteristics, and respect and equally safeguard the lawful rights and interests of consumers.67

63 - PI Specification. 7.3 a).
64 - PI Specification. 3.7.
65 - PI Specification. 5.6 a) 2).
66 - PI Specification. 7.10.
67 - E-commerce Law. § 18.

Indonesia Small Flag Indonesia

Indonesian laws do not recognize or acknowledge the terminology of ‘cookies’, but it may fall under the definition of Personal Data, given its broad definition. In such case, the general principle of ‘consent’ on Personal Data under Indonesian laws shall be applicable in the collection of cookies.

Portugal Small Flag Portugal

Profiling is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (article 4 (4) of the GDPR). Please refer to answers 5 and 20 above regarding restrictions applicable to it.

In what concerns to cookies, Law 46/2012, on the processing of personal data and protection of privacy in electronic communications, establishes that storing of information, or gaining of access to information already stored, in the terminal equipment of a subscriber or user shall only be allowed with prior consent and as long as clear and comprehensive information (in accordance with the Data Protection Laws has been provided) including inter alia, about the purposes of the processing, unless such storage or access is required for:

a) the sole purpose of carrying out the transmission of a communication over an electronic communications network;

b) the provision of a service explicitly requested by the subscriber or user.

In the absence of guidelines from the CNPD regarding cookies, controllers should take in consideration the Working Document 2/2013 Article 29 Working Party which provides guidance on obtaining consent for cookies as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions at least until the new ePrivacy Regulation is approved and enters in force.

United Kingdom Small Flag United Kingdom

A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:

  • necessary for entering into or performance of a contract between the organisation and the individual;
  • authorised by law (for example, for the purposes of fraud or tax evasion); or
  • based on the individual’s explicit consent.

If special category personal data is involved the business can only carry out such processing:

  • if it has the individual’s explicit consent; or
  • if the processing is necessary for reasons of substantial public interest.

The controller must notify the data subject in writing as soon as possible that the decision has been based solely on automated processing. The data subject may within 1 month request the controller to reconsider the decision or take a new decision that is not based on automated processing. The controller then has to respond without delay and in any event within 1 month and consider the request.

A business must tell people if it uses cookies, and clearly explain what the cookies do and why. Cookies and similar technologies which are used to store or gain access to information on a device can only be used with the consent of the individual. There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).

Sweden Small Flag Sweden

The term monitoring is not used. Nevertheless, the term profiling is used and it is defined in article 4 of the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

According to article 22 of the GDPR, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision.

  • is necessary for entering into, or performance of, a contract between the data subject and a controller;
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  • is based on the data subject's explicit consent.

Further, the decision may typically not be based on special categories of personal data and the controller must under certain circumstances implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests to express his or her point of view and to contest the decision.

Not all profiling falls however under article 22 of the GDPR. Regarding such profiling that falls outside article 22 of the GDPR’s scope it is debated whether consent must be obtained or not from the data subject.

Finally, chapter 6 paragraph 18 of the Cookie Act stipulates that data from cookies may only be stored in or retrieved from a visitor of a website’s terminal equipment if the visitor is provided with information about the purpose of the processing and consents to it. This does however not prevent such storage or access that as is necessary to transmit an electronic message via an electronic communications network or provide a service explicitly requested by the visitor.

Greece Small Flag Greece

In addition to the GDPR provisions on monitoring and profiling, at national level, HDPA regulates and further interprets through its Directives specific aspects of these matters, such as Directive 115/2001 which defines monitoring at the workplace and Directive 1/2011 on CCTV monitoring. Moreover, with regards to the use of tracking technologies such as GPS, the HDPA by a set of decisions has defined the framework of GPS operation and use by data controllers, while with regards to cookies, the provisions of Law 3471/2006 remain in force.

Article 4 par. 5 of Law 3471/2006 stipulates that installation of cookies is only allowed if the subscriber or user "has given his/her consent after having been clearly and extensively informed in accordance with paragraph 1 of article 11 of Law 2472/1997, as in force".

Therefore, according to the above, the provider of an online service (for example an e-shop) or a third party (for example, an advertising site which promotes products through a website of an e-shop) may install cookies only if the subscriber or user has given his/her consent to this after having been duly informed (with the exception of the technically necessary cookies).

Turkey Small Flag Turkey

Turkish Law does not explicitly regulate monitoring, profiling or use of tracking technologies. Therefore, such activities of use of related technologies will be regulated under the general provisions of data protection laws. Since unique identifiers such as IP or device specific information is considered as PII under Turkish Law, use of cookies to track devices and browsing patterns may require the explicit consent of the data subject, depending on the purpose of processing.

Austria Small Flag Austria

The relevant provisions of the GDPR apply in this respect.

The use of cookies is regulated in a separate provision: As a general rule, website visitors must be informed as to which personal data is collected, processed or transmitted, on what legal basis, for what purposes and for how long the data will be stored. The obtaining of certain data is permissible only after consent of the visitors. Cookies are subject to this provision if they are capable of uniquely identifying a website visitor. This is not only the case if cookies contain the name or user ID of a website visitor, but as soon as they - in whatever form - are able to differentiate a certain website visitor from the totality of all visitors. The storage of cookies is only excluded from the obligation to consent if the cookies are absolutely necessary in order to provide a specific service expressly requested by the user (such as cookies, which are technically absolutely necessary for the operation of an online shop or for online banking). However, these cookies may only be stored for as long as they are absolutely necessary for this service.

However, these cookies may only be stored for as long as they are absolutely necessary for this service.

France Small Flag France

A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:

  • necessary for entering into or performance of a contract between the organisation and the individual;
  • authorised by law (for example, for the purposes of fraud or tax evasion);
  • based on the individual’s explicit consent; or
  • under certain conditions, an individual administrative decision provided that it does not involve sensitive data.

The use of cookies in this respect is restricted and the CNIL considers that any website managers, mobile application publishers, advertising agencies, social networks and publishers of audience measurement solutions shall, before storing or reading a cookie on a user's device:

  • inform Internet users on the purpose of the cookies used;
  • obtain their consent which shall not be valid for longer than 13 months; and
  • provide Internet users with a means to refuse the use of cookies.

However, cookies which are solely used for technical purposes such as "shopping cart" cookies for a merchant site or authentication cookies does not require to comply with the above conditions.

United States Small Flag United States

Laws in the U.S. that apply to monitoring or profiling generally have not historically restricted these activities, but rather regulate or require disclosures regarding the use of cookies and other tracking technologies. The CCPA is positioned to change this by providing an opt-out of the selling of data, which as currently defined and interpreted would be implicated by many interest-based advertising activities.

There are two federal statutes that, although they do not directly apply to cookies, have been used to enforce activities relating to cookies used for tracking and behavioral advertising. For example, the FTC Act has been used as a basis for regulatory enforcement against entities misrepresenting or failing to disclose tracking cookies. Enforcement actions have also been taken on the basis of the Federal Computer Fraud and Abuse Act (CFAA), and state equivalents, against entities using cookies for behavioral advertising, where the cookie allowed for deep packet inspection. Some states have deceptive practices acts which have been used as a basis for enforcement similar to the federal laws described above. Recently, the city attorney for Los Angeles brought a claim under California’s consumer protection laws against the Weather Channel for disclosing users’ geolocation data to advertisers and others without clear and conspicuous notice and express consent.

Moreover, certain states have laws that impose disclosure obligations as to the use of and/or disablement of tracking technologies. For example, under CalOPPA, and other state laws that have copied it, there is an obligation for entities to disclose in their online privacy policy whether the website responds to “Do Not Track” signals and whether third parties may collect personal information across time and services using tracking technologies associated with them when a consumer uses the site.

In addition, ECPA, SCA and CFAA, as well as tort laws, have been used as a basis for lawsuits against companies utilizing keystroke and other tracking features on websites and mobile apps, although that law is evolving.

Finally, the Digital Advertising Alliance and the Network Advertising Initiative self-regulatory programs for the U.S. digital advertising industry require notice, enhanced notice for intrusive or sensitive tracking, and an opportunity to opt out.

Malaysia Small Flag Malaysia

There are no provisions which defines or restricts the use of tracking technologies such as cookies.

Gibraltar Small Flag Gibraltar

The Privacy Regulations govern the use of cookies by Gibraltar-based service providers. The rules in force in Gibraltar are essentially that cookies can only be placed on computer equipment where the individual has given consent. Before giving consent, the individual must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.

In addition to the Privacy Regulations, service providers must comply with the requirements as to the protection of personal data as set out in GDPR, such as Article 6, which sets out the provisions for the lawful processing of personal data (even that obtained by way of cookies).

Further, Article 7 of GDPR gives the data subject the right to withdraw consent for the processing of data gathered through the use of cookies..

Ireland Small Flag Ireland

A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:

  • necessary for entering into or performance of a contract between the organisation and the individual;
  • authorised by law; or
  • based on the individual’s explicit consent.

If special category personal data is involved, the organisation can only carry out such processing:

  • if it has the individual’s explicit consent; or
  • if the processing is necessary for reasons of substantial public interest.

The controller must inform the data subject of the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

An organisation must inform individuals of its uses cookies, and clearly explain what the cookies do and why. Cookies and similar technologies which are used to store or gain access to information on a device can only be used with the consent of the individual. There is an exception for cookies that are essential in order to provide an online service at someone’s request (eg to remember what is contained in an online basket, or to ensure security in online banking).

Japan Small Flag Japan

Under the APPI, online identifiers (IP address, cookies, etc.) and location information alone, in and of itself, does not constitute “personal information” (APPI, Article 2.1(i)).

However, in exceptional cases, when such information can be easily matched with other information, and when, through such matching, it becomes possible to identify specific individuals, such information falls under “personal information”, and becomes subject to regulation under the APPI.

Updated: September 16, 2019