The Data Protection Conference (DSK) has published "Notes on the use of Google Analytics in the non-public sector". This decision is a supplement to the "Guidance of the supervisory authorities for telemedia providers", which was also adopted by the DSK in March 2020.
The DSK consists of the independent data protection authorities of the Federation and the Länder. It has the task of safeguarding and protecting fundamental data protection rights, achieving a uniform application of European and national data protection law and jointly advocating for its further development.
What are the minimum requirements for using Google Analytics?
The "Notes" of the DSK are the minimum requirements under data protection law for the data protection-compliant use of Google Analytics.
This means that a data controller who does not meet the requirements of the DSK when using Google Analytics is likely to be sanctioned in the event of an official audit. It should be noted, however, that the DSK makes the decision subject to a different interpretation by the European Data Protection Board and the ECJ. On the other hand, there is no mention of the case law of the BGH.
Is there joint responsibility with Google?
In the DSK's view, the use of Google Analytics does not constitute commissioned processing, but rather joint responsibility within the meaning of Article 26 of the GDPR. The DSK justifies this by stating that the operator of a website does not decide alone on the purposes and means of data processing when using Google Analytics. Rather, Google has the exclusive power to decide on the data processing that takes place. The consequence of this is that it is not a case of commissioned processing within the meaning of Article 28 of the GDPR.
Therefore, in the DSK's view, the order processing agreement that may have been concluded between the controller and Google is no longer applicable when Google Analytics is used. Whether Google will provide a joint responsibility agreement for the use of Google Analytics remains to be seen.
Is the use of Google Analytics only permitted with the prior active consent of the user?
Furthermore, the DSK states that Google Analytics can only be used in a manner that is permissible under data protection law if the user (website visitor) has given active consent in accordance with Art. 6 (1) sentence 1 lit. a) DSGVO.
In the opinion of the DSK, the use of Google Analytics cannot generally be based on Art. 6 para. 1 lit. b) DSGVO, as the use of Google Analytics is not necessary for the fulfilment of the contract between the website operator and the user.
In the opinion of the DSK, the use of Google Analytics is generally also not lawful under Art. 6 (1) (f) DSGVO, as the data subjects do not expect that their personal data will be disclosed to third parties and comprehensively evaluated with the aim of creating personal advertising and linking it to the personal data obtained from other contexts.
You should therefore, at the latest now, only use Google Analytics on your website or in your online shop if you use Google Analytics on the basis of an active consent of the visitor on the website or in the online shop.
Otherwise you will face sanctions from the competent supervisory authority.
What are the minimum requirements for using Google Analytics?
In the opinion of the DSK, the following measures must be implemented for the legally permissible use of Google Analytics:
1. obtaining informed, voluntary, active and prior consent from the users to the specific processing activity
Consent is only effective if the requirements pursuant to Art. 4 No. 11, Art. 7 DSGVO and, if applicable, Art. 8 DSGVO are met.
2. technical requirements for the implementation of the withdrawal of consent
When using Google Analytics, a simple and always accessible mechanism (e.g. button) for revoking consent once given by the user must always be implemented.
3. transparency
Users must comprehensively inform users about the processing of personal data within the scope of Google Analytics in the data protection provisions in accordance with Art. 13 DSGVO.
4. shortening of the IP address
In addition to the above-mentioned measures. Users of Google Analytics should arrange for the IP addresses to be shortened through appropriate settings.
Conclusion:
In summary, the DSK's decision does not offer much that is new in terms of content. However, the joint decision of all data protection authorities has made it more likely that you will have to fear sanctions by the supervisory authorities if you do not comply with the DSK's requirement for the use of Google Analytics.
GoldbergUllrich Lawyers 2020
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
Update:
After the ECJ declared the Privacy Shield Decision 2016/1250 invalid, the use of Google Analytics, detached from the above-mentioned aspects, is currently not legally permissible.
