Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Germany: FAQs - What does the TTDSG mean for you?
The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia of 23 June 2021 ('TTDSG') entered into force on 1 December 2021.1 The TTDSG regulates the protection of confidentiality and privacy when using telecommunications and telemedia services, such as websites, messengers, or smart home devices, and changes the legal framework for the use of cookies and comparable technologies, implementing the requirements of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into national law.
OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers on the TTDSG, featuring comments by Dr Carlo Piltz and Philipp Quiel, Partner and Counsel respectively at Piltz Legal.
1. What kind of technical and organisational measures do I need to implement under the TTDSG?
Telemedia providers must take technical and organisational measures to ensure that telemedia users can stop using the service at any time and use telemedia in a way that protects them from third parties' knowledge (Section 19(1) of the TTDSG). In addition, telemedia providers must enable the use of telemedia and their payment anonymously or under a pseudonym, insofar as this is technically possible and reasonable (Section 19(2) of the TTDSG).
Telemedia providers must also, insofar as this is technically possible and economically reasonable, ensure through technical and organisational measures within the scope of their respective responsibility for telemedia offered on a commercial basis that no unauthorised access to the technical equipment used for their telemedia services is possible, and that these are secured against disturbances, insofar as they are caused by external attacks (Section 19(4) of the TTDSG). For example, the use of an encryption method is recognised as secure (Section 19(4) of the TTDSG). Telemedia providers must further take into account the state of the art when implementing technical and organisational measures (Section 19(4) of the TTDSG).
Providers of publicly available telecommunication services and those offered wholly or partly on a business basis, as well as natural and legal persons involved in the provision of these services, must take the necessary technical and organisational measures to prevent erroneous transmissions and the unauthorised disclosure of message content within the provider's company and to third parties (Section 6(2) of the TTDSG). However, measures are only required if their cost is in reasonable proportion to the intended protective purpose (Section 6(2) of the TTDSG). In addition, insofar as it is necessary with regard to the intended protective purpose, the measures must be adapted to the respective state of the art (Section 6(2) of the TTDSG).
The technical and organisational measures must be observed in addition to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').2
In addition to encryption as a technical and organisational measure and practical tool to comply with the TTDSG, Dr Piltz and Quiel note, "Basically, the same range of measures is available to companies here as under Article 32 of the GDPR. Organisational measures include internal instructions and guidelines for employees. On a technical level, for example, rights and role concepts for accessing data could be implemented. Backup systems can also be included here, as this enables smooth operation of the service. Pseudonymisation of data can also be considered as a technical measure".
2. What information does a TTDSG-compliant cookie policy need to include?
The information must be provided in accordance with the GDPR and must be clear and comprehensive (Section 25(1) of the TTDSG).3
In addition, users of telemedia must be informed about the possibility to use telemedia and their payment anonymously or under a pseudonym, if technically possible and reasonable (Section 19(2) of the TTDSG). Furthermore, the user must be informed of the transfer to another telemedia provider (Section 19(3) of the TTDSG).
3. What are the requirements for a TTDSG-compliant cookie banner?
The information and consent displayed in cookie banners must comply with the GDPR (Section 25(1) of the TTDSG).
According to the EDPB4, at least the following information is required for obtaining valid consent:
- the controller's identity;
- the purpose of each of the processing operations for which consent is sought;
- what (type of) data will be collected and used;
- the existence of the right to withdraw consent;
- information about the use of the data for automated decision-making in accordance with Article 22(2)(c) of the GDPR, where relevant; and
- on the possible risks of data transfers due to the absence of an adequacy decision and of appropriate safeguards, as described in Article 46 of the GDPR.
According to the Lower Saxony data protection authority ('LfD Niedersachsen'), the purposes of processing must be described in concrete terms.5 It is not sufficient to state, for example, that cookies are used:
- "to optimally design and improve the website for you";
- "improve your browsing experience";
- "to carry out web analysis and advertising measures"; or
- "marketing, analytics and personalisation".
In addition, it is not sufficient to generally state that information will be shared with 'partners' and that these partners may combine the information with other data, if user tracking by third-party services is used on the website, these services create user profiles, and the data is used for marketing purposes. In this case, to obtain valid informed consent, the purposes of the processing must be specifically explained, in particular when individual profiles are created and enriched with data from other websites to form comprehensive usage profiles; if third-party service providers are integrated, they must be named individually.6
Furthermore, in a layered consent, the right to withdraw consent must be mentioned on the first level of the consent window. Thus, it is not sufficient to provide a link to the data protection notice in this window, which then contains a reference to the right of withdrawal. If the reference to the right to withdraw consent is missing, it must be assumed that consent is invalid.7
4. How do I obtain a valid cookie consent under the TTDSG?
Cookie consent is valid if it complies with the consent requirements under the GDPR (Section 25(1) of the TTDSG). The definition according to Article 4(11) of the GDPR is crucial, as well as the requirements for effective consent under Article 7 and with respect to consent of minors Article 8 of the GDPR. When assessing the effectiveness of consent under Section 25(1)(1) of the TTDSG, the same assessment criteria are applied as for consent under Article 6(1)(a) of the GDPR.8
In particular, the timing of consent is important. Consent must be given prior to the data processing. Hence, cookies cannot be stored and data cannot be transmitted to third-party service providers when users access a website for the first time before they have given consent. The consent window should open at the same time as a pop-up requesting consent. In addition, for a valid cookie consent, it is not sufficient that consent is only formally obtained. The user's decision must also be implemented correctly from a technical point of view, meaning that the cookies requiring consent may only be set when the user has actually agreed to this in the consent tool.9
In addition, opt-out processes are insufficient as they do not respect the requirement of active consent. In accordance with Recital 32 of the GDPR, implied conduct such as silence, inaction, or pre-checked boxes cannot be considered consent.
Even the terms 'agree', 'I consent', or 'accept' may not be sufficient in individual cases if it is not clear from the information text what the consent is specifically given for. Ambiguities also arise if sliders and buttons in the consent layer are not recognisably linked to each other for the user and, for example, are automatically activated when the 'Accept all'-button is clicked. 'Accept all' can also be understood to mean that all cookies are accepted whose sliders are active.10
Consent is freely given only if access to services and functionalities is not made conditional on the consent of a user to the storage of information or gaining of access to information already stored in the terminal equipment of a user, in so called cookie walls.11 However, if the user is offered the alternative of making the content visible by paying an appropriate fee in addition to their consent, then the element of freely given consent is not violated.12
Further, nudging refers to techniques intended to influence user behaviour. If nudging is used by the controller with the aim of inducing the data subject to give consent, this may violate different legal requirements for consent under data protection law, depending on the specific design. There are limits to permitted nudging, and behavioural manipulation can lead to the invalidity of consent.13
Article 7(3)(4) of the GDPR explicitly requires that the revocation of consent must be as simple as the granting of consent. Hence, if consent is given directly when using the website, it must also be possible to revoke it in this way. Exclusive revocation options via other communication channels, such as email, phone call, fax, or even by letter, do not comply with these requirements.14
In addition, if a consent window is used, the user should be given an easy-to-find option to open it again at any time and change the settings they have previously made, for example, by inserting a link to the consent layer in the header or footer of the website, where the imprint and the data protection information are regularly found, which could be called 'Data protection settings'. Another alternative is to include this link in the data protection notice.15
5. Are there any legal bases other than consent that can be used for cookies under TTDSG or other laws?
The TTDSG does not provide for other legal bases than consent for the use of cookies, and provides for very narrow exceptions to this (sSection 25(1) of the TTDSG). Hence, the use of legitimate interest as a legal basis for cookies pursuant to Article 6(1)(f) of the GDPR is no longer possible.16
Dr Piltz and Quiel add, "The recourse to Article 6 of the GDPR is not possible, especially because Article 5(3) of the ePrivacy Directive and here the implementation in Section 25 of the TTDSG are considered lex specialis compared to the GDPR. Section 25 of the TTDSG therefore supersedes Article 6 of the GDPR, even if access to terminal equipment involves personal data".
6. Does the TTDSG provide more legal certainty on what is meant by 'strictly necessary cookies'?
The storage and use of cookies must be strictly necessary to enable the provider of a telemedia service to provide a telemedia service explicitly requested by the user (Section 25(2)(2) of the TTDSG).
The term 'strictly necessary' is to be understood as a technical, but not an economic necessity.17 For example, a cookie that is used to store items from an online shop in a shopping cart is considered 'strictly necessary' and thus exempted from consent under the TTDSG.18 However, range measurement, user tracking for advertising purposes, and similar practices are not strictly necessary for the provision of a telemedia service and, therefore, require consent under the TTDSG.19
Since, the 'strictly necessary' cookies are an exception, they are to be interpreted narrowly.20 Hence, only a few cookies and third-party services can be used on the website without consent.21
7. What exactly is meant by 'subsequent processing' under the TTDSG?
Dr Piltz and Quiel note, "There is no legal definition for this. This refers to all processing operations that are not covered by the scope of Section 25 TTDSG. This means, for example, the storage of data collected from end devices or the analysis of this data or the transfer of this data to third parties".
See question 13 below for further information on subsequent processing.
8. How long can I store data obtained from cookies under the TTDSG?
The TTDSG does not contain any specific rule on the storage of data obtained from cookies or similar technologies. Nevertheless, the TTDSG applies in addition to the GDPR.22 As such, if the data obtained from the cookies or similar technologies constitutes personal data, then the requirements of the GDPR would need to be met, including the principle of storage limitation established by Article 5(1)(e) of the GDPR, which states that, generally, personal data must not be stored for longer than is necessary for the purposes for which it is processed.
Dr Piltz and Quiel state, "The storage of cookie data is no longer subject to Section 25 TTDSG, but to the general requirements of the GDPR (if personal data is involved)".
9. Is cookie consent required to be obtained only by website operators under the TTDSG?
The LfD Niedersachsen's FAQs clarify that the providers of telemedia services, to which the TTDSG applies, include public or non-public bodies, as well as private individuals who operate a website or app, and smart home applications. In practice, this means that not only website operators, but also other entities, such as app operators and smart home applications, may need to obtain a user's consent in order to store information on their device or to access information stored therein, unless one of the exceptions of Section 25(2) of the TTDSG applies.
10. Now that the TTDSG has entered into force, do I need to seek the users' renewed cookies consent?
The TTDSG does not contain any express rule on the validity of consent obtained before its entry into force. However, the GDPR governs the requirements of cookies consent under the TTDSG (Section 25(1) of the TTDSG). The LfD Niedersachsen's FAQs point out, regarding consent, that the definition according to Article 4(11) of the GDPR is of crucial importance and that the further requirements for effective consent result from Articles 7 and 8 of the GDPR.23 In addition, for the assessment of the validity of consent according to Section 25(1) of the TTDSG, the same evaluation criteria are to be applied as for consent according to Article 6(1)(a) of the GDPR.24
If organisations obtained consent before the entry into force of the TTDSG, and such consent is compliant with the GDPR, Dr Piltz and Quiel further note, "In our view, no new consent is necessary if the requirements of the GDPR have already been complied with in the past. This is because these requirements also apply under Section 25 TTDSG".
11. Is it sufficient that a company has an establishment in Germany, or does that company need to also be actively involved in certain processing activities related to cookies?
The fact that a company is established in Germany is already sufficient to trigger the applicability of the TTDSG (Section 1(3) of the TTDSG). Dr Piltz clarified in his Insight article Germany: The New Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia that "[i]t is not necessary that this establishment is somehow actively involved in processing activities that, for example, include tracking with the help of cookies. The mere existence of an establishment in Germany is sufficient for the TTDSG to apply to a company".
In addition, the TTDSG also applies to organisations that do not have an establishment in Germany, but that nevertheless provide or participate in the provision of services or make goods available on the German market (Section 1(3) of the TTDSG).
12. The TTDSG applies to companies even if they only participate in the provision of services in Germany; what exactly is meant by 'participating in the provision of services' under the TTDSG?
The TTDSG does not set forth the meaning of 'participating in the provision of services'. Accordingly, Dr Piltz pointed out in his Insight article that "it remains unclear how high or low the bar for 'participating' in the provision of a service is. To be able to assess if a company is in scope of the TTDSG, it will also have to look at services the company does not provide itself but which it is only involved in some way".
13. What is the envisaged interplay between the TTDSG, the ePrivacy Regulation, and the GDPR?
The TTDSG implements the requirements of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into German law. Currently, a Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)25 ('the Draft ePrivacy Regulation') is being negotiated at the EU level; if finalised, it is likely to bring further changes.
Regarding the interplay between the TTDSG and the GDPR, the HmbBfDI's press release points out that the TTDSG applies in addition to the GDPR. Moreover, the GDPR governs the requirements for valid consent under Article 25(1) of the TTDSG.
Furthermore, Dr Piltz outlined in his Insight article that "Article 95 of the GDPR regulates that the GDPR does not impose additional obligations for companies as long as specific obligations arising out of the ePrivacy Directive have 'the same objective'. At least when it comes to subsequent processing of personal data, the GDPR will have to apply as its objectives are way broader and different compared to the ones of the ePrivacy Directive".
14. How will the TTDSG be enforced? In particular, if companies outside of Germany are captured within the scope of the law, how will these cross-border cases be handled?
Section 28, 29, and 30 of the TTDSG are dedicated to sanctions and enforcement of the TTDSG. In particular, Section 29 and 30 regulate respectively the responsibility, duties, and powers of the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') and the Federal Network Agency as supervisory authorities. Specifically, on the one hand, the BfDI is the competent authority insofar as data from natural or legal persons are processed for the commercial provision of telecommunications services, and only covers providers of telecommunication services or federal public authorities (Section 29(1) and (2) of the TTDSG). On the other hand, the Federal Network Agency is generally the responsible supervisory authority for compliance with Sections 3 to 18 of the TTDSG (Section 30 of the TTDSG).
However, the TTDSG does not provide for any rules for cross-border enforcement. In his Insight article, Dr Piltz reasoned that "[b]esides the fact that it is unclear in what kind of cases a company 'participates' in the provision of a service, there is no obligation in the TTDSG that is similar to Article 27 of the GDPR (designation of a representative) and that could ensure that the competent supervisory authority could enforce the TTDSG in countries outside Germany". Moreover, he added that "[…] enforcement of the provisions of the TTDSG is quite unclear when it comes to companies located outside of Germany. This, however, does not only count for [non-EU] companies, but also for companies located in other Member States of the EU. There is a lack of cooperation and consistency mechanisms for cases in which service providers provide their services from or in several Member States. This lack is caused by missing provisions in the ePrivacy Directive. Nevertheless, it will be interesting to see how the competent German authorities will enforce the TTDSG in cross-border cases".
Dr Piltz and Quiel conclude that "the problem [of cross-border cases] will certainly continue to exist for the time being, or we will have to wait and see whether the authorities (at least in Europe) find a mechanism for cooperation".
Anna Baldin Privacy Analyst
[email protected]
Alexandra From Privacy Analyst
[email protected]
Comments provided by:
Dr Carlo Piltz Partner
[email protected]
Philipp Quiel Counsel
[email protected]
Piltz Legal, Berlin
1. Available at: https://www.bgbl.de/xaver/bgbl/start.xav#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl121s1982.pdf%27%5D__1638373369482 (only available in German)
2. Question 4 of the FAQs on the TTDSG by the LfD Niedersachsen, published on 1 December 2021, available at: https://lfd.niedersachsen.de/startseite/infothek/faqs_zur_ds_gvo/faq-telekommunikations-telemediendatenschutz-gesetz-ttdsg-206449.html (only available in German)
3. See, for example, the Guidelines on Transparency under Regulation 2016/679, available at: https://www.dataguidance.com/legal-research/guidelines-transparency-under-regulation
4. See paragraph 64 of the Guidelines 05/2020 on Consent under Regulation 2016/679, available at: https://www.dataguidance.com/legal-research/guidelines-052020-consent-under-regulation-2016679-4-may-2020
5. See the Guide to data protection compliant consent on websites - Requirements for consent layers (November 2020) by the LfD Niedersachsen, pp. 2-3, available at: https://lfd.niedersachsen.de/download/161158 (only available in German)
6. Ibid., p. 3.
7. Ibid.
8. Question 10 of the FAQs on the TTDSG by the LfD Niedersachsen available at: https://lfd.niedersachsen.de/startseite/infothek/faqs_zur_ds_gvo/faq-telekommunikations-telemediendatenschutz-gesetz-ttdsg-206449.html (only available in German)
9. See the Guide to data protection compliant consent on websites - Requirements for consent layers, p. 2, available at: https://lfd.niedersachsen.de/download/161158 (only available in German)
10. Ibid, p. 4.
11. See paragraph 39 of the Guidelines 05/2020 on Consent under Regulation 2016/679, available at: https://www.dataguidance.com/legal-research/guidelines-052020-consent-under-regulation-2016679-4-may-2020
12. See the Guide to data protection compliant consent on websites – Requirements for consent layers, p. 4, available at: https://lfd.niedersachsen.de/download/161158 (only available in German)
13. Ibid., p. 7.
14. Ibid., p. 8.
15. Ibid.
16. Question 8 of the FAQs on the TTDSG by the LfD Niedersachsen, available at: https://lfd.niedersachsen.de/startseite/infothek/faqs_zur_ds_gvo/faq-telekommunikations-telemediendatenschutz-gesetz-ttdsg-206449.html (only available in German)
17. The Hamburg Commissioner for Data Protection and Freedom of Information's ('HmbBfDI') press release, issued on 30 November 2021, available at: https://datenschutz-hamburg.de/pages/ttdsg/ (only available in German)
18. The Berlin data protection authority's press release, issued on 1 December 2021, available at: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2021/20211201-PM-TTDSG.pdf (only available in German)
19. The HmbBfDI's press release, available at: https://datenschutz-hamburg.de/pages/ttdsg/ (only available in German)
20. Question 9 of the FAQs on the TTDSG by the LfD Niedersachsen, available at: https://lfd.niedersachsen.de/startseite/infothek/faqs_zur_ds_gvo/faq-telekommunikations-telemediendatenschutz-gesetz-ttdsg-206449.html (only available in German) and the HmbBfDI's press release, issued on 30 November 2021, available at: https://datenschutz-hamburg.de/pages/ttdsg/ (both only available in German)
21. Ibid.
22. The HmbBfDI's press release, available at: https://datenschutz-hamburg.de/pages/ttdsg/ (only available in German)
23. Question 10 of the FAQs on the TTDSG by the LfD Niedersachsen, available at: https://lfd.niedersachsen.de/startseite/infothek/faqs_zur_ds_gvo/faq-telekommunikations-telemediendatenschutz-gesetz-ttdsg-206449.html (only available in German)
24. Ibid.
25. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_9931_2020_INIT&from=EN