Consent to the storage of information, or access to information already stored, on a website user's device by cookies is not valid if it is given through a pre-checked box that the user must deselect to refuse consent.

The rules on consent to cookies do not differ according to whether the information stored or accessed on a website user's device is personal data.

Where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise its powers under Article 28(3) of Directive 95/46 with respect to the establishment in its territory, even if that establishment is responsible only for selling advertising space and other marketing activities there, and even if another establishment in a different Member State has exclusive responsibility, for the whole territory of the European Union, for collecting and processing personal data.

Where a supervisory authority of a Member State intends to exercise the intervention powers referred to in Article 28(3) of Directive 95/46 against an entity established in that Member State because a third party responsible for processing the data, whose seat is in another Member State, infringed the rules on the protection of personal data, that authority is competent to assess the lawfulness of that processing independently of the supervisory authority of the other Member State. It may exercise those powers with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Personal data processing by an undertaking engaged in electronic commerce is governed by the law of the Member State to which that undertaking directs its activities, where the processing is carried out in the context of the activities of an establishment in that Member State. Whether that is so is for the national court to determine.

A Member State's data-protection law may apply to a controller registered in another Member State where the controller carries out, through stable arrangements in the first Member State, a real and effective activity there - even a minimal one - and the data processing is carried out in the context of that activity. In deciding whether that is so, the referring court may in particular consider whether the controller runs property websites for properties in that Member State, in that Member State's language and mainly or entirely aimed at that Member State, and whether it has a representative there responsible for debt recovery and for representing it in administrative and judicial proceedings about the processing. The nationality of the data subjects is irrelevant.

In the Hungarian version of Directive 95/46, 'adatfeldolgozás' (technical manipulation of data), including in Articles 4(1)(a) and 28(6), means the same as 'adatkezelés' (data processing).

Personal-data processing by a search engine is carried out in the context of the activities of an establishment of the controller in a Member State where the operator has there a branch or subsidiary that promotes and sells the engine's advertising space and directs its activity towards that Member State's inhabitants.