- The DSK classifies Google as a joint controller when using Google Analytics; this requires an Art. 26 GDPR agreement between the parties involved.
- As a rule, Google Analytics may only be used with the effective, transparent and voluntary consent of the user in accordance with Art. 6 para. 1 lit. a and Art. 7 GDPR.
The German Conference of Data Protection Supervisory Authorities (DSK) has set a date of May 12, 2020 for the Notes on the use of Google Analytics by private entities published:
Against the backdrop of the new legal framework with the application of the GDPR, the data protection supervisory authorities have the Use of Google Analytics re-evaluated. Older views of data protection supervisory authorities, which were communicated taking into account the legal situation prior to 25.05.2018, are thus considered obsolete. [Fn: This applies in particular to the publication of the Hamburg Commissioner for Data Protection and Freedom of Information, “Notes for website operators based in Hamburg who use Google Analytics.”]
The notes apply to the use of Google Analytics in the Standard configuration (without, for example, Analytics 360).
Comments
The DSK briefly states that
- Google in the use of Google Analytics with the website operator as a whole jointly responsible is and
- Google Analytics only with Consent may be used.
As far as the requirement of consent is concerned, the position of the FSC is in line with the views already expressed earlier by authorities (e.g. the LfDI Rhineland-Palatinate) and as far as can be seen of the Administrative Court Mainz (cf. also here).
What is new, however, is the assessment that Google is a jointly responsible party. The information provided by Google Order processing agreement does not change this. This means that the use of Google Analytics requires not only consent (which, incidentally, confirms once again that the transfer of data between joint controllers is not privileged, but requires a legal basis), but also an agreement between joint controllers within the meaning of Article 26 GDPR. So far, Google has not submitted a corresponding agreement.
For Company in Switzerland the GDPR may be applicable if the user behavior of persons residing in the EEA (including Liechtenstein) is collected. In this case, the requirements of the GDPR would have to be implemented (although these are not legally binding). One possibility may be to exclude access from abroad or not to record it. Without such measures, the use of Google Analytics requires an assessment of the legal risk.
The Swiss DPA regulates the use of Google Analytics through the general Processing principles and by the Swiss cookie provision, Art. 45c TCA – provided that it can also be assumed for Switzerland that personal data is processed by Google Analytics, which is by no means a matter of course. This legal situation will hardly change with the revision of the DPA, apart from the information requirements according to Art. 17 E‑DSG. Consent to the use of Google Analytics is thus not necessary. A transfer of personality profiles or – depending on the offer of a website – personal data requiring special protection – to Google should not be present, since Google collects this data itself or is an order processor under Swiss law. Also from this point of view, therefore No consent required be
Also a Agreement between jointly responsible is not necessary in itself. The FADP and the e‑DSA do not generally require such an agreement, even though it may make sense in the case of data processing based on the division of labor. Since Google is subject to the GDPR, Google would have to require the conclusion of such an agreement with Swiss website operators: Admittedly, the latter should not be subject to the GDPR already because they process data jointly with a controller in the EEA. But the agreement between joint controllers is intended to ensure the proper distribution of compliance obligations, and if the Swiss controller assumes such obligations without committing to the GDPR standard, its EEA counterpart would run the risk of a regulatory gap.
Applicability of the GDPR
First of all, DSK states the following or takes the following view:
When Google Analytics is used always processes personal data of the users.
Here, the FDPIC expressly disagrees with the view of Google itself, according to which usage data do not constitute personal data. However, the FDPIC does not further substantiate its opinion on this point – which is not self-evident.
Role allocation: Google as jointly responsible party
Google in the use of Google Analytics, according to DSK not acting as a processor.
DSK on this:
When using Google Analytics, the website operator does not solely determine the Purposes and means of data processing. These are rather partly given exclusively by Googleso that Google itself is responsible in this respect, and contractually accepted by the site operator. The processing when using Google Analytics represents a single life circumstance in which the various aspects of the processing only make sense as a whole. This has the consequence that the parties within a processing activity do not change their role as processor and/or controller can.
Here, too, the DPA disagrees with Google, according to which Google acts as processor for certain processing operations and as controller for others (on the latter, cf. the Shared Data Under Measurement Controller-Controller Data Protection Terms of Google). Rather, Google and the website operator were jointly responsible in the sense of Art. 26 DSGVO.
Legal basis: Consent
Since Google Analytics is not necessary for the contract, Article 6 (1) (b) of the GDPR is not a legal basis. Article 6 (1) (f) DSGVO (legitimate interest) also does not apply “as a rule”:
In view of the specific data processing steps involved in the use of Google Analytics, the interests, fundamental rights and freedoms of users regularly outweigh the interests of website operators. In particular the user does not reasonably expect that his personal data will be passed on to third parties and comprehensively evaluated with the aim of creating personal advertising and linking it with the personal data obtained from other contexts. This goes far beyond thatwhich is permissible within the scope of Art. 6 (1) f) DS-GVO. In this respect, the situation differs significantly from the case of a statistics function on one’s own website or by means of commissioned processing.
Therefore, as a rule, only consent remains:
As a result, a lawful use of Google Analytics is generally only possible on the basis of an effective consent of the website visitors pursuant to Art. 6 (1) a), Art. 7 DS-GVO.
Obtaining consent
Consent to the processing of personal data by Google Analytics is subject to the usual requirements. In this regard, the DSK states, among other things, that
- in the Declaration of consent to be clearly and unambiguously described must, that the processing is essentially carried out by Google, that the data is not anonymous, what data is processed and that Google uses it for “any of its own purposes such as profiling” as well as “links it to other data such as any GoogleAccounts”. Google must be explicitly listed as a recipient of the data;
- Users Active only can consent (e.g. clicking a button);
- no data may be collected or elements reloaded from Google websites prior to consent;
- the consent only voluntary is when the person concerned has options and a free choice. They must also be able to refuse consent without suffering any disadvantages as a result. The coupling with a service could lead to the consent not being voluntary.
In addition, a Possibility of objection for example by including a corresponding button. It is not sufficient to simply make reference to the Google Opt Out Add-On, inter alia, because this revocation is not as simple as giving consent.
Other requirements
Further, the privacy policy must explain the processing by Google Analytics, and users “should” have the Shortening of the IP address by Google Activate.