Weighing of interests

etracker analytics

The question arises as to whether the cookie-less mode of etracker analytics, which is provided as standard, is protected by Art. 6 para. 1 lit. f GDPR can be legitimized. According to this provision, the processing of personal data is lawful “if the processing is carried out for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

Art. 6 para. 1 GDPR is supplemented by recital 47:

“The lawfulness of the processing may be justified by the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or a third party, provided that the interests or fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. A legitimate interest could exist, for example, if there is a relevant and appropriate relationship between the data subject and the controller, e.g. if the data subject is a customer of the controller or is employed by the controller. In any case, the existence of a legitimate interest would have to be weighed up particularly carefully, also considering whether a data subject can reasonably foresee at the time the personal data is collected and in view of the circumstances in which it takes place that processing for this purpose will possibly take place. In particular, if personal data is processed in situations in which a data subject does not reasonably expect further processing, the interests and fundamental rights of the data subject could outweigh the interests of the controller. Since it is for the legislator to create the legal basis for the processing of personal data by public authorities by means of legislation, this legal basis should not apply to processing operations carried out by public authorities in the performance of their tasks.”

The starting point for any balancing of interests in the context of Art. 6 para. 1 lit. f GDPR is, on the one hand, the personal rights of the data subject and the effects that processing of the data in question would have on them and, on the other hand, the interests of the controller or third parties. The circumstances that the data subject can reasonably expect when visiting a website must also be taken into account in the balancing of interests. This means: As long as the data processing processes carried out by etracker on behalf of the data subject are within the scope of these expectations, it is justifiable to base the permissibility of the corresponding data processing on Art. 6 para. 1 lit. f GDPR.

In this respect, when weighing up interests, it must be taken into account that the persons affected by the web analysis have a comprehensive right to object at any time (Art. 21 para. 2 GDPR), to which they must be expressly informed in the website’s data protection information (Art. 21 para. 4 GDPR). According to Art. 21 para. 3 GDPR, the objection means that personal data may no longer be processed, in particular used, for statistical purposes.

According to the guidelines on the processing of personal data on the basis of a legitimate interest of the European Data Protection Board (EDPB), the controller must fulfill three cumulative conditions in order to be able to invoke a legitimate interest:

1. The pursuit of a legitimate interest by the controller or a third party;
2. The need to process personal data for the purpose of pursuing the legitimate interest;
3. The interests or fundamental freedoms and rights of natural persons do not take precedence over the legitimate interests of the controller or a third party (balancing exercise).

The following can be stated with regard to the use of etracker analytics:

1. existence of a legitimate interest of the controller or a third party

In the above-mentioned EDPB guidelines, the legitimate interests explicitly mentioned include maintaining the functionality of the websites made generally accessible and product improvement (to make its product or service more powerful and thus more attractive), with reference to Case C-252/21, para. 122.

The optimization of the respective website also meets the other requirements for the existence of a legitimate interest:

• The interest is legitimate, i.e. it does not violate EU or Member State law.
• The interest is formulated clearly and precisely.
• The interest must be real and present and must not be speculative.

2. necessity of data processing to safeguard legitimate interests

The processing must be suitable to achieve the controller’s interest in optimizing the website, whereby no milder, equally effective means may be available. When using etracker analytics, processing is limited to what is necessary. It is not technically possible to collect significantly less personal data, as the TCP/IP protocol already reduces this to what is technically necessary.

According to the EDPB guidelines, necessity in the sense of the principle of data minimization means: “If there are reasonable, equally effective but less privacy intrusive alternatives, the processing cannot be considered “necessary”.”

The arguments in favor of etracker analytics include

• The IP anonymization already takes place in the cache of the data acceptance, whereby the complete IP address is not persisted.
• Reporting is essentially only aggregated. Analyses at visitor level are limited to the last 50 visitors and are used for QA purposes.
• With session tracking, anonymous hash values are generated on the backend and formed with a daily changing value as a so-called “salt” in order to technically exclude a chaining of visits, fingerprinting or profiling beyond one calendar day.

3. weighing up the interests, fundamental rights and freedoms of the data subject in the specific individual case

According to the EDPB guidelines, the following aspects must be taken into account when weighing up interests:

i) The interests, fundamental rights and freedoms of the data subjects.

(ii) the impact of the processing on the data subjects, including

a. The type of data to be processed,
b. The context of the processing and
c. Any further consequences of the processing.

iii) The legitimate expectations of the data subject.

iv) The final balancing of the conflicting rights and interests, including the possibility of further mitigating measures.

The following can be stated with regard to the use of etracker analytics:

i) The interests, fundamental rights and freedoms of the data subjects

In view of the small scope of data processing and its insignificant impact on users, there is no risk of loss of control over one’s own data, the re-identification of data subjects, the use of personal data for advertising purposes or for the creation of personality or user profiles.

The legally standardized right to object under Art. 21 para. 2 GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker technology is used to object to the processing of their data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. For this purpose, etracker provides pre-formulated sample texts.

(ii) the impact of the processing on the data subjects, including

By default, data records are not linked or enriched. The transfer of cross-device identifiers is optional and requires a separate risk check.

The actual data processing takes place exclusively and deliberately on a pseudonymized basis (presumably even anonymized). Pseudonymization is an effective means of reducing interference with the rights of the data subject. The IP address is shortened automatically at the earliest possible point in the processing and does not require any adjustment of the settings or the tracking code. This meets the requirements of Art. 5 GDPR and its technical and organizational implementation in accordance with Art. 25 GDPR, in particular Art. 25 para. 2 GDPR (privacy by default). “Information by which the personal data can be attributed to a specific data subject” (Art. 4 No. 5 GDPR) is not stored in the web analytics system by default. Identifiers that would allow conclusions to be drawn about the person of the visitor are also not provided.

Even when used on websites that are aimed at particularly vulnerable persons such as children or provide content on sensitive topics, this does not mean that the interests, fundamental rights and freedoms of the data subjects are given greater weight. This is because there is no profiling or risk of exploiting particular vulnerabilities.

The interference with the rights of the data subjects is minimal and has no legal effect for the data subjects. In contrast to a credit assessment by a bank, for example, the only purpose of this application is to analyze pseudonymous, if not anonymous data, usually in aggregated form for an improved website.

As a processor, etracker operates as a separate, independent company from its headquarters and data center in Hamburg. In particular, there are no social relationships with companies outside the EU or in unsafe third countries, which would make it more difficult to protect the rights of data subjects.

The duration of the observation is limited to a maximum of one day, as all visit identifiers are automatically linked to the respective date, thus preventing visitors from being recognized in standard mode on subsequent days.

It can be stated that there is no processing of particularly extensive data records or even sensitive data. The depth of intervention is therefore low.

In cookie-less mode, all interactions on the website can be recorded in the same way as with the cookie-based method. However, it is impossible for user profiles to be created and for visitors to be “recognized” over time (identification or re-identification is excluded in both methods, as the IP address is shortened by default at the earliest possible point in time and thus anonymized).

In cookie-less standard mode, the following data is collected and made available for analysis:

• Information on the end device, operating system and browser used;
• Geo-information up to city level;
• the URL called up with the corresponding page title and optional information on the page content;
• the website from which the accessed individual page was accessed (referrer site including assignment to search engines and social media sites and reading of campaign parameters);
• the subsequent pages that were accessed from the accessed website within a single website in the session;
• the time spent on the website;
• other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos viewed, registrations, inquiries, items ordered, etc.

It is not possible to identify unique visitor values, the frequency distribution of sessions per visitor in the period or the linking of visits to customer journeys or conversion paths that result from several visits over longer periods than 24 hours or across several end devices.

iii) The legitimate expectations of the data subject

When using websites and apps, a user does not usually expect user data to be processed by third parties for their own purposes, that extensive profiles are created across many websites or that granular session recordings are made and made playable (so-called session recordings).

With etracker analytics, user data is processed exclusively on behalf of the service provider and not for its own purposes with the aim of creating personalized advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties.

iv) The final balancing of the conflicting rights and interests, including the possibility of further mitigating measures

Against this background, we consider it justifiable that the data processing described in cookie-less mode can be justified on the basis of Art. 6 para. 1 lit. f GDPR or with the use of cookies on the basis of Art. 6 para. 1 lit. a GDPR, provided that visitors are informed of the use of this technology by etracker in the data protection declarations and are given the option to opt out. The conclusion of an order processing contract is mandatory.

---

etracker tag manager

1. functionality and purpose of the etracker tag manager

In order to be able to use the etracker tag manager, the etracker tracking code must first be integrated into the HTML of the website, which is the basis for the use of etracker analytics. There is no special code or separate integration for the etracker tag manager, as this is not a stand-alone etracker product, but can only be used in combination with etracker analytics.

The etracker tag manager offers the following two functions:

1. Tracking of events, goals and segment dimensions in etracker analytics without programming or adjustments in the HTML of the website.
2. Integration of tags (third-party code) into a website without programming or adjustments to the HTML of the website and their display according to set conditions and with previously set variables.

The etracker tag manager can also be used exclusively for the configuration of the data collected with etracker analytics (point 1). It is therefore a convenience function that primarily serves the interests of the website operator to optimize processes for the installation and configuration of website functions.

2. legal conformity and consent requirements for third-party codes

When considering the legal basis for the use of the etracker tag manager, a distinction must be made between

• the day manager himself and
• the third-party code that may be played via it

can be distinguished.

A separate check is required for the legal requirements relating to the third-party codes to be played using the Tag Manager, the result of which depends on the respective third-party code and how it works. When selecting and configuring tags to be played, the etracker tag manager therefore offers the assignment of a suitable content category. This is automatically linked to the etracker consent manager, which is intended to ensure that tags requiring consent are only displayed with the user’s consent.

For the preconfigured third-party tags, the “Consent” basis is already preset under the “Marketing” purpose. This default setting corresponds to our recommendation for the respective tag in its standard implementation and should be checked again by the customer. For individually integrated tags, the etracker customer is responsible for the correct categorization through their administrator. With regard to a possible consent requirement for third-party tags, access to user devices (in accordance with the TDDDG) and the processing of personal data associated with the tag (in accordance with the GDPR) must be taken into account.

It is important to note in connection with the consent requirement for third-party tags that

according to TDDDG

1. only technically essential cookies are exempt from the consent requirement.
2. when assessing the necessity of access to end devices, it is important to take an objective, technical view and not whether the access is desirable or economically necessary from the website operator’s point of view.

according to DSGVO

• obtaining consent is not per se to be considered more data protection-friendly than the legitimate interest.
• the balancing of interests can only be considered as a legal basis if the processing does not violate the reasonable expectations of the users and no reasonable, equally effective milder means are available for the purposes.
• even with consent, there are additional requirements for data protection compliance, namely compliance with principles such as “purpose limitation”, “data minimization”, “privacy by design” and “privacy by default”.

3. legal conformity and freedom of consent of the etracker tag manager itself

3.1 etracker tag manager and TDDDG

The etracker tag manager as such – as well as etracker analytics in the appropriate configuration – does not use cookies or similar technologies by means of which information is stored in the end user’s end device or access to information that is already stored in the end device takes place. This means that the etracker tag manager is not subject to consent pursuant to Section 25 TDDDG.

3.2 etracker tag manager and GDPR

The question also arises as to whether the cookie-less mode of etracker analytics provided as standard can also be legitimized by Art. 6 para. 1 lit. f GDPR when using the Tag Manager module or whether consent is required due to the processing of personal data as such. According to Art. 6 para. 1 lit. f GDPR, the processing of personal data is lawful “if the processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

The starting point for the balancing of interests acc. Art. 6 para. 1 lit. f GDPR are, on the one hand, the personal rights of the data subject and the effects of processing the data concerned on the data subject and, on the other hand, the interests of the controller or third parties. The circumstances that the data subject can reasonably assume when visiting a website must also be taken into account in the balancing of interests. This means: As long as the data processing processes carried out by etracker on behalf of etracker are within the scope of these expectations, it can be argued that the permissibility of the corresponding data processing is based on Art. 6 para. 1 lit. f of the GDPR.

When weighing up interests, it must first be taken into account that the persons affected by the web analysis and associated tag management have a comprehensive right to object at any time (Art. 21 para. 2 GDPR), to which they must be expressly informed in the website’s data protection information (Art. 21 para. 4 GDPR). According to Art. 21 para. 3 GDPR, the consequence of the objection is that personal data may no longer be processed, in particular used, for the relevant purposes. If the above considerations are applied to the facts of the case to be assessed here, the following can be stated:

1. existence of a legitimate interest of the controller or a third party

The optimization of processes for the installation and configuration of website functions can be regarded as a legitimate interest of the website operator. The indirectly supported functions such as reach measurement and statistical analyses as well as the optimization of the respective website and personalization/individualization of the offer tailored to the respective user are also expressly cited as legitimate interests of website operators in accordance with the guidance of the supervisory authorities for telemedia providers. The use of tag management is therefore also a legitimate interest as an “enabling instrument”, so to speak, for the implementation of these legitimate interests.

2. necessity of data processing to safeguard legitimate interests

According to the above-mentioned guidance, the processing must be suitable to achieve the controller’s interest, whereby no milder, equally effective means must be available. When using etracker analytics, data processing is also limited to the necessary extent with the Tag Manager module. It is not technically possible to collect significantly less personal data, as the TCP/IP protocol already reduces this to what is technically necessary. Personal data is not transmitted to third parties by etracker analytics itself, but if necessary only through the third-party tags to be checked independently. In this context, it should be noted that etracker is not a “third party” within the meaning of Art. 4 No. 10 GDPR, but acts as a processor exclusively on the instructions of the website operator and does not pursue its own processing purposes. In view of the purpose pursued, equally effective and less intrusive means of processing for the data subject are therefore not discernible.

3. weighing up the interests, fundamental rights and freedoms of the data subject in the specific individual case

a) Reasonable expectation of the persons concerned and foreseeability

With etracker analytics, user data is processed exclusively on behalf of the service provider (website operator) and not for the processor’s (etracker) own purposes with the aim of creating personalized advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties. No granular session recordings are made and made playable (so-called session recordings). This applies analogously to the etracker Tag Manager module, with which only the tags configured by the client are played out according to the set conditions and with the set variables. The fact that website operators use convenience functions to optimize processes for installing and configuring website functions should be within the reasonable expectations of users.

If implemented correctly, further processing of personal data will only take place with the transparent, voluntary and informed consent of the data subject. The Tag Manager therefore only initiates further processing if this is implemented lawfully.

b) Intervention options for data subjects (transparency & possibility of objection)

The legally standardized right to object under Art. 21 para. 2 GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker technology is used to object to the processing of their data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. etracker provides sample texts for this purpose.

c) Concatenation of data

At etracker, data processing for statistical purposes is carried out exclusively and deliberately on a pseudonymized basis (depending on the legal perspective, even on an ^anonymized1 basis). Pseudonymization is an effective means of reducing interference with the rights of the data subject. The IP address is truncated automatically at the earliest possible point in time during processing and does not require any adjustment of the settings or the tracking code. This meets the requirements of Art. 5 GDPR and its technical and organizational implementation in accordance with Art. 25 GDPR, in particular Art. 25 para. 2 GDPR (privacy by default) are fulfilled. “Information by which the personal data can be attributed to a specific data subject” (Art. 4 No. 5 GDPR) is not stored in the web analytics system by default. Identifiers that would allow conclusions to be drawn about the person of the visitor are also not provided.

Data records are not linked or enriched by default. The transfer of cross-device identifiers is optional and requires a separate risk check. The etracker Tag Manager module does not contain any functions for transferring data from one tag provider to another, but only functions for transferring website information to corresponding independent tags at runtime.

d) Actors involved

As a processor, etracker operates as a company bound by the instructions of the controller from a company headquarters and data center in Hamburg (EU). In particular, there are no relationships under company law with companies outside the EU or in insecure third countries, which would make it more difficult to protect the rights of data subjects, nor does etracker itself or in combination with third parties provide products or carry out data processing that would entail the further use of data processed using the Tag Manager for other (profiling) purposes or would only make sense for etracker. In addition, etracker does not use the information processed by the Tag Manager for any other purposes of its own or of third parties, in particular for the further development or optimization of its own ^services2.

e) Duration of the observation

The duration of monitoring using etracker’s own identifiers is limited to a maximum of one day, as all visit identifiers are automatically linked to the respective date, thus preventing visitors from being recognized in standard mode on subsequent days.

f) Group of affected persons (e.g. particularly vulnerable persons)

Even when used on websites that are aimed at particularly vulnerable persons such as children or that provide content on sensitive topics, this does not result in the interests, fundamental rights and freedoms of the data subjects being given greater weight. There is no profiling or risk of exploitation of particular vulnerabilities through web analysis and tag management itself.

g) Data categories

The interference with the rights of the data subjects is proportionately limited in terms of object and severity for the data subjects. Unlike would be the case, for example, with a credit assessment by a bank, the use in question here is solely concerned with the analysis of pseudonymous, if not anonymous, data, usually in aggregated form, for an improved website.

h) Scope of data processing

It can be stated that there is no processing of particularly extensive data records or even sensitive data. The depth of intervention is therefore low.

In cookie-less mode, all interactions on the website can be recorded in the same way as with the cookie-based method. However, no user profiles are created by the Tag Manager even when cookies are used and visitors are not “recognized” over time (identification or re-identification is avoided in both methods as intended, since the IP address is shortened by default at the earliest possible point in time and thus anonymized).

In cookie-less standard mode, the following data is collected and made available for analysis:

• Information on the end device, operating system and browser used;
• Geo-information up to city level;
• the URL called up with the corresponding page title and optional information on the page content;
• the website from which the accessed individual page was accessed (referrer site including assignment to search engines and social media sites and reading of campaign parameters);
• the subsequent pages that were accessed from the accessed website within a single website in the session;
• the time spent on the website;
• other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos viewed, registrations, inquiries, items ordered, etc.

It is not possible to identify unique visitor values, the frequency distribution of sessions per visitor in the time period or the linking of visits to customer journeys or conversion paths that result from several visits over longer periods than 24 hours or across several end devices.

Conclusion

According to our assessment, the use of the etracker tag manager is safe if it is configured correctly and as intended by the person responsible.

• not subject to consent pursuant to § 25 TDDDG,
• to safeguard the legitimate interests of the operator of the website, in the form of secure, legally compliant, high-performance tag management within the meaning of the legal basis of Art. 6 para. 1 lit. f GDPR is required,
• whereby no legitimate interests of the data subjects in not processing the data outweigh the legitimate interests of the controller, in particular no unauthorized profiling or misappropriation of the processed personal data.

Against this background, we consider it justifiable that the data processing described in standard mode can be justified on the basis of Art. 6 para. 1 lit. f GDPR or with the use of cookies on the basis of Art. 6 para. 1 lit. a GDPR, provided that visitors are informed of the use of this technology by etracker in the data protection declarations and are given the option to opt out of data processing. The conclusion of an order processing contract is mandatory. The contract can be concluded electronically upon commissioning or registration.

---