Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Germany: Ministry publishes Ordinance on cookies and consent
On September 4, 2024, the Federal Ministry for Digital and Transport (BMDV) announced the adoption by the Federal Government of a new Regulation pursuant to Section 26(2) of the Telecommunications Digital Services Data Protection Act (TDDDG). The Consent Management Ordinance sets out requirements relating to the use of cookie banners and the provision of user consent.
Consent management requirements
Specifically, the Ordinance provides that recognized consent management services must store the settings made by end users using a digital service for the first time. Such a requirement also applies if the provider of digital services requests end user consent in accordance with Section 25(1) of the TDDDG.
The consent management services must only manage consent for which the digital service provider has informed the end user of, prior to granting the consent. When providing consent, end users must be informed of:
- the provider of digital services or third parties who store information in the end user's terminal equipment or who can access information already stored there;
- the specific information to be stored in the end user's terminal equipment and for which information already stored is to be accessed;
- the purposes for which information is to be stored and for which information already stored is to be accessed;
- the periods during which the information is to be stored; and
- the right to revoke consent at any time and that the legality of the access and storage carried out on the basis of consent is not affected by such revocation.
In addition, the Ordinance outlines that a consent management procedure is considered user-friendly if:
- the user interface is designed to be transparent and understandable so users can make free and informed decisions; and
- the end user's settings, including the date and time the decision was made, can be viewed by the end user at any time using the information provided and can be changed or revoked at any time.
Requests to view the end user's settings by the consent management service may not be made until one year has passed unless the end user has provided a different setting. Consent management services must also enable end users to export the end user settings together with the information provided into common file formats. Likewise, regarding the right to data portability, the Ordinance provides that end users have the right to switch to another recognized consent management service, alongside switching the settings made by the end users to another consent management service.
Consent registration
The Ordinance outlines application requirements for consent management services to be recognized. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is the responsible authority for the recognition of consent management services. Notably, when applying for recognition, consent management service providers must declare that they will not process end users' personal data for any purposes other than consent management. Applications must also be accompanied by security information, including, among other things:
- the storage location of the personal data; and
- the necessary technical and organizational measures taken to protect personal data from unauthorized access and ensure the availability of and access to personal data.
The Ordinance enters into effect on the first day of the quarter following its publication.
You can read the press release here and the Ordinance here, both only available in German.