These days, anyone visiting a website rarely gets to enjoy the content directly – usually a window inevitably blocks the actual page, asking – sometimes more, sometimes less friendly – for consent. Mostly out of habit and in order to view the website quickly, one clicks the highlighted button “Accept all” without actually knowing what this means.
That allows the website operator to collect, process and sometimes even give the information of the visitor to third parties.
When a website is visited – even if only for a second – sensitive technical data is inevitably transmitted, enabling the operator to draw conclusions about the visitor’s surfing behavior up to and including partial identification of the person. This isn’t unusual nor illegal, as Germany and the EU have defined exactly how this data is to be handled.
It becomes problematic when this data is passed on to so-called third parties (these can be other service providers who provide services on the website, e.g. YouTube, Google Maps and other companies) and the website operator thus gives up control of what happens to the data – but nevertheless remains responsible, since he collects and passes it on.
Schrems II ruling of July 2020
At the latest since May 25, 2018 with the introduction of the new DSGVO / GDPR in the EU, the topic has moved centrally into the public eye. In July last year, the probably best-known data protection activist Max Schrems obtained a ruling from the ECJ (Schrems II ruling), which invalidated the previously established Privacy Shield, which was established between the EU and the USA and had as its basis that the specifications of the Privacy Shield correspond to the level of data protection in the European Union.
This has sparked a broad discussion as to whether services such as Facebook, Google, WhatsApp & co. may still be used in the EU at all.
German and European data protection law has been significantly geared towards the use of the Privacy Shield regulations as far as the transfer of personal data to third countries such as the USA is concerned. The ECJ’s ruling therefore primarily calls on policymakers to adopt a comparable regulation with the United States. Until then, one could formally and legally assume a lack of legitimacy of the data transfer from and to the USA. However, since nearly every company in Germany is affected by the discontinuation of the privacy shield, since almost everyone uses Facebook, Twitter, etc., a persecution of the entire nation by the data protection authorities cannot be effective. In this respect, it remains to be seen until recommendations for the transition period are issued by the responsible authorities (state data protection commissioners, federal data protection commissioner). Ultimately, the responsibility for the legal correctness of statutory regulations still lies with the state and not with the citizen.
But what does this mean for the correct operation of websites in terms of data protection?
In general, it can be stated that one of the following prerequisites must be met for the processing of visitor data:
- a) The person has given their consent to the processing of the data (e.g. via a consent banner),
- b) The processing of the data is mandatory for the performance of a contract to which the data subject is a party,
- c) The processing is necessary for compliance with a legal obligation,
- d) The processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require the protection of personal data.
It is therefore not mandatory to make everything dependent on consent. Often, this leads to a consent banner (which is often incorrectly associated only with cookies) containing a page-long list of all the consents to be obtained, which is neither understandable nor useful for the visitor. A distinction is therefore made between essential and statistical cookies and external media. Essential cookies are those that are absolutely necessary for viewing the website (e.g. remembering the selected languages or forwarding from http to https to comply with security standards).
Cookies and external media
Statistical cookies means that there, for example, tracking is activated (Google Analytics, Matomo, or similar) as well as so-called retargeting (that you, as a visitor to the website, are shown afterwards advertisements on other platforms such as Facebook or Instagram).
External integrations should always be loaded with consent as a matter of principle, as it is difficult to justify a legitimate interest, when data is sent to external companies.
Particular attention should be paid when embedding external scripts (this includes embedding a YouTube player, embedding Google Analytics or Facebook pixels) that you have concluded a commissioned data processing contract (AV contract) with the service provider.
If a service provider is used to embed an external script, i.e. the service provider provides this script and the further evaluation, this service provider is not necessarily a third party and the data transfer is not immediately a transmission.
If a contract for commissioned processing has been concluded with this service provider, this service provider becomes a “processor” [Art. 4 Para. 8 DSGVO] and is no longer a
third party anymore. The processing is “outsourced”, but the responsibility remains “incorporated”.
Again, if the legal basis for the processing can be based on legitimate interests, consent is not required (for example, when incorporating external fonts).
It remains to be said that the GDPR is much more than a “necessary evil”, but above all also serves to protect the individual and establishes fair internet marketing. If you explain to visitors on your site what happens to their data, this will above all ensure transparency and trust, which will inevitably affect your perception and brand.
If you need support on this complex topic, do not hesitate to contact us.
Faires Internet Marketing – werning.com
Datenschutz individuell / Olav Seyfarth