Do I become a data controller by using cookies on my website?

ANSWER

According to the Austrian supervisory authority, if a website operator decides to use cookies (or other similar mechanisms), they become a data controller or joint controller, provided that personal data is being processed.

It does not matter whether the cookies are transmitted from a server to the browser of a website visitor or generated directly in the visitor's browser through JavaScript code embedded on the website.

It also does not matter whether the website operator has access to the personal data itself, for example, to an interest profile of a website visitor created by an advertising network (see the judgment of the Court of Justice of the European Union of 10 July 2018, Jehovan todistajat, C-25/17, paragraph 69).

According to the Austrian supervisory authority, a website operator is a data controller (at least to some extent) if they use cookies (or other similar mechanisms) on their website for their own purposes (e.g., commercial purposes, such as displaying personalized advertisements), and personal data is processed as part of that activity.