Germany: Legal bases of third-party services for tracking purposes
On 14 November 2019, most German Data Protection Authorities ('DPAs'), including those from Berlin, Brandenburg, Hamburg, Hesse, Lower-Saxony, published similar press releases with the core message that the use of third party services for tracking purposes is only possible on the legal basis of consent of website visitors in accordance with Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). According to the DPAs, the background to these publications is a high volume of complaints and inquiries regarding the use of analysis tools. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides a brief overview of what the press releases specified and what does or does not qualify as consent.
In addition, website operators are irritated because in the past, it has been the accepted practice by the DPAs to conclude a data processing agreement with providers of tracking functionalities. For example, the Hamburg, Lower-Saxonian, as well as the Bavarian Data Protection Authority, had previously considered a processor's use of analysis tools to be legitimate so long as certain conditions were met. According to the current statement by the DPAs, this view is now outdated and obsolete as the conditions have changed. The DPAs refer to a telemedia orientation guide from the Data Protection Conference, in which a very strong tendency towards requiring consent has already been pointed out.
According to the Berlin DPA, it is generally considered permissible for website operators to carry out online analysis and to collect the number of visitors per page, the devices used, and the language settings, even if this is done by a processor. However, according to Article 28 of the GDPR, a processor is only allowed to process data on the instruction of the controller but may not use the data for their own purposes. In addition, the DPAs highlight the requirements for consent according to Article 4(11) of the GDPR. According to Recital 32 of the GDPR, silence, pre-ticked boxes, or inactivity of the data subject cannot qualify as consent.
The Berlin DPA further explained that web page operators, who integrate third party functions in violation of the GDPR, must not only expect instructions for action by the authorities, but should also consider the imposition of fines. Controllers should be aware that the DPAs are increasingly carrying out audits on the use of analysis tools.
Dr. Carlo Piltz Salary Partner
reuschlaw Legal Consultants, Berlin