[buzer]

Official EU website, generally speaking, are not bound by GDPR or ePD. Rather EU bodies are bound by EUDPR. I'm not well-versed on that specific thing, but EDPS and courts have previously found that EC has infringed EUDPR so it wouldn't be weird if their cookie banner was breaking the law as well.

[AlexanderHanff]

They actually are bound by the ePrivacy Directive due to jurisprudence (EU bodies must comply with CJEU rulings).

I actually wrote to the EDPB on 25th May 2018 (the day GDPR came into effect) and forced them to make their own website compliant with the ePrivacy Directive (I still have the email thread, it was quite an interesting discussion).

I also filed a complaint against the Court of Justice on October 1st 2019 within minutes of them publishing their Judgment on the Planet49 case (C-673/17) because their own website didn't comply with the judgment - they fixed it within 18 minutes.

So yes EU institutions get it wrong sometimes, but they generally fix it quickly when they are informed. I currently have a big case ongoing with the EDPS against the European Commission and the European Parliament for hosting live streams directly on social media instead of the official live streaming platform setup for EU bodies (on the basis that forcing people to engage on social media is a breach of fundamental rights because it allows those platforms to infer special category data (political interests and others depending on the topic of the live stream).

EDPS just actually updated me this week that they have concluded their side and are now waiting on the final responses from the Commission and Parliament.

So yes, the rules do work, but you have to be pro-active, armchair activism doesn't work.

[buzer]

I would like to see that thread if possible just out of curiosity.

I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.

Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.

I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.