Support Centre

Germany: Legal bases of third-party services for tracking purposes

On 14 November 2019, most German Data Protection Authorities ('DPAs'), including those from Berlin, Brandenburg, Hamburg, Hesse, Lower-Saxony, published similar press releases with the core message that the use of third party services for tracking purposes is only possible on the legal basis of consent of website visitors in accordance with Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). According to the DPAs, the background to these publications is a high volume of complaints and inquiries regarding the use of analysis tools. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides a brief overview of what the press releases specified and what does or does not qualify as consent. / Essentials collection /

In Germany, there is a particular need for clarification of whether or not the use of tracking technologies requires consent from data subjects. The Telemedia Act 2007, as amended in 2010 ('the TMG') still expressly permits in Section 15(3) an opt-out solution for the use of cookies and tracking technologies for the purpose of creating profiles under a pseudonym. According to Article 95 of the GDPR, in the EU, the GDPR shall not impose additional obligations on natural or legal persons when processing publicly available electronic communications services in public communication networks in matters for which they are subject to specific obligations with the same objective set out within the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive'). Section 15(3) of the TMG would be considered as an implementation of this EU legislation, and would supersede the GDPR as lex specialis. But whether Section 15(3) of the TMG constitutes an implementation of the ePrivacy Directive into national law or not, is highly controversial in Germany. In the opinion of the DPAs, Section 15(3) of the TMG is no longer applicable.

In addition, website operators are irritated because in the past, it has been the accepted practice by the DPAs to conclude a data processing agreement with providers of tracking functionalities. For example, the Hamburg, Lower-Saxonian, as well as the Bavarian Data Protection Authority, had previously considered a processor's use of analysis tools to be legitimate so long as certain conditions were met. According to the current statement by the DPAs, this view is now outdated and obsolete as the conditions have changed. The DPAs refer to a telemedia orientation guide from the Data Protection Conference, in which a very strong tendency towards requiring consent has already been pointed out.

According to the Berlin DPA, it is generally considered permissible for website operators to carry out online analysis and to collect the number of visitors per page, the devices used, and the language settings, even if this is done by a processor. However, according to Article 28 of the GDPR, a processor is only allowed to process data on the instruction of the controller but may not use the data for their own purposes. In addition, the DPAs highlight the requirements for consent according to Article 4(11) of the GDPR. According to Recital 32 of the GDPR, silence, pre-ticked boxes, or inactivity of the data subject cannot qualify as consent.

The Berlin DPA further explained that web page operators, who integrate third party functions in violation of the GDPR, must not only expect instructions for action by the authorities, but should also consider the imposition of fines. Controllers should be aware that the DPAs are increasingly carrying out audits on the use of analysis tools.

Dr. Carlo Piltz Salary Partner
[email protected]
reuschlaw Legal Consultants, Berlin