Skip to content

Weighing of interests

Content
etracker analytics 1. existence of a legitimate interest of the controller or a third party 2. necessity of data processing to safeguard legitimate interests 3. weighing up the interests, fundamental rights and freedoms of the data subject in the specific individual case Conclusion Legal basis Consent versus legitimate interest Tag Manager 1. functionality and purpose of the etracker Tag Manager 2. legal conformity and consent requirements for third-party codes 3. legal conformity and freedom of consent of the etracker tag manager itself Conclusion

etracker analytics

The balancing of interests (Art. 6 para. 1 lit. f GDPR) as the legal basis for the use of etracker analytics for web analysis

The question arises as to whether the cookie-less mode of etracker analytics, which is provided as standard, is covered by Art. 6 para. 1 lit. f GDPR can be legitimized. According to this provision, the processing of personal data is lawful “if the processing is carried out for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

Art. 6 para. 1 GDPR is supplemented by recital 47:

“The lawfulness of the processing may be justified by the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or a third party, provided that the interests or fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. A legitimate interest could exist, for example, if there is a relevant and appropriate relationship between the data subject and the controller, e.g. if the data subject is a customer of the controller or is employed by the controller. In any case, the existence of a legitimate interest would have to be weighed up particularly carefully, also considering whether a data subject can reasonably foresee at the time the personal data is collected and in view of the circumstances in which it takes place that processing for this purpose will possibly take place. In particular, if personal data is processed in situations in which a data subject does not reasonably expect further processing, the interests and fundamental rights of the data subject could outweigh the interests of the controller. Since it is for the legislator to create the legal basis for the processing of personal data by public authorities by means of legislation, this legal basis should not apply to processing operations carried out by public authorities in the performance of their tasks.”

The starting point for any balancing of interests in the context of Art. 6 para. 1 lit. f GDPR are, on the one hand, the personal rights of the data subject and the effects that the processing of the data in question has on the data subject and, on the other hand, the interests of the controller or third parties. The circumstances that the data subject can reasonably expect when visiting a website must also be taken into account in the balancing of interests. This means that as long as the data processing processes carried out by etracker on behalf of the data subject are within the scope of these expectations, it is justifiable to base the permissibility of the corresponding data processing on Art. 6 para. 1 lit. f GDPR.

In this respect, when weighing up interests, it must be taken into account that the persons affected by the web analysis have a comprehensive right to object at any time (Art. 21 para. 2 GDPR), to which they must be expressly informed in the website’s data protection information (Art. 21 para. 4 GDPR). According to Art. 21 para. 3 GDPR, the objection means that personal data may no longer be processed, in particular used, for statistical purposes.

If the above considerations are applied to the facts to be assessed here, the following can be stated:

1. existence of a legitimate interest of the controller or a third party

The guidance issued by the supervisory authorities for telemedia providers of the Conference of Independent Federal and State Data Protection Supervisory Authorities expressly lists the legitimate interests of website operators as, among other things, reach measurement and statistical analyses as well as the optimization of the respective web offering and personalization/individualization of the offering tailored to the respective user.

2. necessity of data processing to safeguard legitimate interests

According to the above-mentioned guidance, the processing must be suitable to achieve the controller’s interest in the statistical analysis and optimization of the website, whereby no milder, equally effective means may be available. When using etracker analytics, processing is limited to what is necessary. It is not technically possible to collect significantly less personal data, as the TCP/IP protocol already reduces this to what is technically necessary. Personal data is not transferred to third parties by etracker.

3. weighing up the interests, fundamental rights and freedoms of the data subject in the specific individual case

a) Reasonable expectation of the persons concerned and foreseeability

When using websites and apps, a user does not usually expect user data to be processed by third parties for their own purposes, that extensive profiles are created across many websites or that granular session recordings are made and made playable (so-called session recordings).

With etracker analytics, user data is processed exclusively on behalf of the service provider and not for its own purposes with the aim of creating personalized advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties.

b) Intervention options for data subjects (transparency & possibility of objection)

The legally standardized right to object under Art. 21 para. 2 GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker technology is used to object to the processing of their data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. For this purpose, etracker provides pre-formulated sample texts.

c) Concatenation of data

Data records are not linked or enriched by default. The transfer of cross-device identifiers is optional and requires a separate risk check.

The actual data processing takes place exclusively and deliberately on a pseudonymized basis (presumably even anonymized). Pseudonymization is an effective means of reducing interference with the rights of the data subject. The IP address is shortened automatically at the earliest possible point in the processing and does not require any adjustment of the settings or the tracking code. This meets the requirements of Art. 5 GDPR and its technical and organizational implementation in accordance with Art. 25 GDPR, in particular Art. 25 para. 2 GDPR (privacy by default) are fulfilled. “Information by which the personal data can be attributed to a specific data subject” (Art. 4 No. 5 GDPR) is not stored in the web analytics system by default. Identifiers that would allow conclusions to be drawn about the person of the visitor are also not provided.

d) Actors involved

As a processor, etracker operates as a separate, independent company from its headquarters and data center in Hamburg. In particular, there are no social relationships with companies outside the EU or in unsafe third countries, which would make it more difficult to protect the rights of data subjects.

e) Duration of the observation

The duration of the observation is limited to a maximum of one day, as all visit identifiers are automatically linked to the respective date, thus preventing visitors from being recognized in standard mode on subsequent days.

f) Group of affected persons (e.g. particularly vulnerable persons)

Even when used on websites that are aimed at particularly vulnerable persons such as children or provide content on sensitive topics, this does not result in the interests, fundamental rights and freedoms of the data subjects being given greater weight. This is because there is no profiling or risk of exploiting particular vulnerabilities.

g) Data categories

The interference with the rights of the data subjects is minimal and has no legal effect for the data subjects. In contrast to a credit assessment by a bank, for example, the only purpose of this application is to analyze pseudonymous, if not anonymous data, usually in aggregated form for an improved website.

h) Scope of data processing

It can be stated that there is no processing of particularly extensive data records or even sensitive data. The depth of intervention is therefore low.

In cookie-less mode, all interactions on the website can be recorded in the same way as with the cookie-based method. However, it is impossible for user profiles to be created and for visitors to be “recognized” over time (identification or re-identification is excluded in both methods, as the IP address is shortened by default at the earliest possible point in time and thus anonymized).

In cookie-less standard mode, the following data is collected and made available for analysis:

  • Information on the end device, operating system and browser used;
  • Geo-information up to city level;
  • the URL called up with the corresponding page title and optional information on the page content;
  • the website from which the accessed individual page was accessed (referrer site including assignment to search engines and social media sites and reading of campaign parameters);
  • the subsequent pages that were accessed from the accessed website within a single website in the session;
  • the time spent on the website;
  • other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos viewed, registrations, inquiries, items ordered, etc.

It is not possible to identify unique visitor values, the frequency distribution of sessions per visitor in the period or the linking of visits to customer journeys or conversion paths that result from several visits over longer periods than 24 hours or across several end devices.

Conclusion

Against this background, we consider it justifiable that the data processing described in cookie-less mode is based on Art. 6 para. 1 lit. f GDPR or with the use of cookies on the basis of Art. 6 para. 1 lit. a GDPR, provided that visitors are made aware of the use of this technology by etracker in their data protection declarations and are given the option to opt out. The conclusion of a data processing agreement is mandatory. We offer a template for this at https://server/av-vertrag/, which can be concluded electronically upon commissioning or registration.

Legal basis Consent versus legitimate interest

In a recent judgment, the Administrative Court of Mainz (judgment of 20.02.2020 – 1 K 467/19.MZ, BeckRS 2020, 5397) states that

“Finally, the permissions contained in Art. 6 para. 1 GDPR are equivalent in terms of their legal function and apply alongside each other without the need to assume a tiered relationship. It cannot be concluded from the list of the various permissions that consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR is a primary permission and that the general balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is to be understood as a last resort. In this respect, the statutory permissions take into account not only the data protection interests of the data subjects, but also the legitimate interests of the controller in exceptionally permissible data processing (see Schulz, in: Gola, GDPR, 2nd ed. (2018), Art. 6, para. 10).”

Consent, which is also possible, is therefore not “better” or more data protection-friendly than processing on the basis of legitimate interests. Rather, consent entails a large number of additional requirements in order to be valid as truly active, voluntary and informed. It could even be argued that it is more in the interest of users to be able to assume data protection-friendly processing than to be asked for consent in this or a similar form: “We use cookies to provide you with an optimal website experience. This includes cookies, pixels and similar technologies, including those from third parties, which are used to operate the site and to control content and personalized advertisements on our website, social media and partner sites.” In very few cases are users likely to be aware of the extent and risks of the associated data processing when confronted with such dialogs, nor are they likely to be able to reasonably assess the impact without considerable effort, research and expertise.

The legal basis of the legitimate interest therefore corresponds to the principle of privacy by design or privacy by default if the etracker technology is not misused.

Bitte beachte

We have written this article after extensive research, discussions with lawyers specializing in data protection law and the external review of etracker solutions and the ePrivacyseal award. This article does not constitute legal advice. Please also note the associated information on data protection in accordance with our General Terms and Conditions and the data processing agreement.

Tag Manager

The balancing of interests (Art. 6 para. 1 lit. f GDPR) as the legal basis for the use of the “Tag Manager” module of etracker analytics

1. functionality and purpose of the etracker Tag Manager

In order to use the etracker Tag Manager, the etracker tracking code must first be integrated into the HTML of the website, which is the basis for the use of etracker analytics. There is no special code or separate integration for the etracker Tag Manager, as this is not a stand-alone etracker product, but can only be used in combination with etracker analytics.

The etracker Tag Manager offers the following two functions:

  1. Tracking of events, goals and segment dimensions in etracker analytics without programming or adjustments in the HTML of the website.
  2. Integration of tags (third-party code) into a website without programming or adjustments to the HTML of the website and their display according to set conditions and with previously set variables.

The etracker tag manager can also be used exclusively for the configuration of the data collected with etracker analytics (point 1). It is therefore a convenience function that primarily serves the interests of the website operator to optimize processes for the installation and configuration of website functions.

2. legal conformity and consent requirements for third-party codes

When considering the legal basis for the use of the etracker tag manager, a distinction must be made between

  • the day manager himself and
  • the third-party codes that may be played via it

can be distinguished.

A separate check is required for the legal requirements relating to the third-party codes to be played using the Tag Manager, the result of which depends on the respective third-party code and how it works. When selecting and configuring tags to be played, the etracker Tag Manager therefore offers the assignment of a suitable consent category. This is automatically linked to the etracker consent manager, which is intended to ensure that tags requiring consent are only displayed with the user’s consent.

For the preconfigured third-party tags, the “Consent” basis is already preset under the “Marketing” purpose. This default setting corresponds to our recommendation for the respective tag in its standard implementation and should be checked again by the customer. For individually integrated tags, the etracker customer is responsible for the correct categorization through their administrator. With regard to a possible consent requirement for third-party tags, access to user devices (in accordance with the TDDDG) and the processing of personal data associated with the tag (in accordance with the GDPR) must be taken into account.

It is important to note in connection with the consent requirement for third-party tags that

according to TDDDG

  1. only technically essential cookies are exempt from the consent requirement.
  2. when assessing the necessity of access to end devices, it is important to take an objective, technical view and not whether the access is desirable or economically necessary from the website operator’s point of view.

according to DSGVO

  • obtaining consent is not per se to be considered more data protection-friendly than the legitimate interest.
  • the balancing of interests can only be considered as a legal basis if the processing does not violate the reasonable expectations of the users and no reasonable, equally effective milder means are available for the purposes.
  • even with consent, there are additional requirements for data protection compliance, namely compliance with principles such as “purpose limitation”, “data minimization”, “privacy by design” and “privacy by default”.

3. legal conformity and freedom of consent of the etracker tag manager itself

3.1 etracker tag manager and TDDDG

The etracker tag manager as such – just like etracker analytics in the corresponding configuration – does not use cookies or similar technologies by means of which information is stored in the end user’s end device or access to information that is already stored in the end device takes place. The etracker tag manager is therefore not subject to consent pursuant to Section 25 TDDDG.

3.2 etracker tag manager and GDPR

It also raises the question of whether the cookie-less mode of etracker analytics, which is provided as standard, is also permitted by Art. 6 para. 1 lit. f GDPR or whether consent is required due to the processing of personal data as such. According to Art. 6 para. 1 lit. f GDPR, the processing of personal data is lawful “if the processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

The starting point for the balancing of interests acc. Art. 6 para. 1 lit. f GDPR are, on the one hand, the personal rights of the data subject and the effects of processing the data concerned on the data subject and, on the other hand, the interests of the controller or third parties. The circumstances that the data subject can reasonably expect when visiting a website must also be taken into account in the balancing of interests. This means that as long as the data processing processes carried out by etracker on behalf of the data subject are within the scope of these expectations, it is justifiable to base the permissibility of the corresponding data processing on Art. 6 para. 1 lit. f GDPR.

When weighing up interests, it must first be taken into account that the persons affected by the web analysis and associated tag management have a comprehensive right to object at any time (Art. 21 para. 2 GDPR), to which they must be expressly informed in the website’s data protection information (Art. 21 para. 4 GDPR). According to Art. 21 para. 3 GDPR, the consequence of the objection is that personal data may no longer be processed, in particular used, for the relevant purposes. If the above considerations are applied to the facts of the case to be assessed here, the following can be stated:

1. existence of a legitimate interest of the controller or a third party

The optimization of processes for the installation and configuration of website functions can be regarded as a legitimate interest of the website operator. The indirectly supported functions such as reach measurement and statistical analyses as well as the optimization of the respective website and personalization/individualization of the offer tailored to the respective user are also expressly cited as legitimate interests of website operators in accordance with the guidance of the supervisory authorities for telemedia providers. The use of tag management is therefore also a legitimate interest as an “enabling instrument”, so to speak, for the implementation of these legitimate interests.

2. necessity of data processing to safeguard legitimate interests

According to the above-mentioned guidance, the processing must be suitable to achieve the interests of the controller, whereby no milder, equally effective means must be available. When using etracker analytics, data processing is limited to what is necessary, even with the Tag Manager module. It is not technically possible to collect significantly less personal data, as the TCP/IP protocol already reduces this to what is technically necessary. Personal data is not transmitted to third parties by etracker analytics itself, but if necessary only by the third-party tags to be checked independently. In this context, it should be noted that etracker is not a “third party within the meaning of Art. 4 No. 10 GDPR, but acts as a processor exclusively on the instructions of the website operator and does not pursue its own processing purposes. In view of the purpose pursued, no equally effective and less intrusive means of processing for the data subject can therefore be identified.

3. weighing up the interests, fundamental rights and freedoms of the data subject in the specific individual case

a) Reasonable expectation of the persons concerned and foreseeability

With etracker analytics, user data is processed exclusively on behalf of the service provider (website operator) and not for the processor’s (etracker) own purposes with the aim of creating personalized advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties. No granular session recordings are made and made playable (so-called session recordings). This applies analogously to the etracker Tag Manager module, with which only the tags configured by the client are played according to the set conditions and with the set variables. The fact that website operators use convenience functions to optimize processes for the installation and configuration of website functions should be within the reasonable expectations of users.

If implemented correctly, further processing of personal data will only take place with the transparent, voluntary and informed consent of the data subject. The Tag Manager therefore only initiates further processing if this is implemented lawfully.

b) Intervention options for data subjects (transparency & possibility of objection)

The legally standardized right to object under Art. 21 para. 2 GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker technology is used to object to the processing of their data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. etracker provides sample texts for this purpose.

c) Concatenation of data

At etracker, data processing for statistical purposes is carried out exclusively and deliberately on a pseudonymized basis (depending on the legal perspective, even on an anonymized1 basis). Pseudonymization is an effective means of reducing interference with the rights of the data subject. The IP address is truncated automatically at the earliest possible point in time during processing and does not require any adjustment of the settings or the tracking code. This meets the requirements of Art. 5 GDPR and its technical and organizational implementation in accordance with Art. 25 GDPR, in particular Art. 25 para. 2 GDPR (privacy by default) are fulfilled. “Information by which the personal data can be attributed to a specific data subject” (Art. 4 No. 5 GDPR) is not stored in the web analytics system by default. Identifiers that would allow conclusions to be drawn about the person of the visitor are also not provided.

Data records are not linked or enriched by default. The transfer of cross-device identifiers is optional and requires a separate risk check. The etracker Tag Manager module does not contain any functions for transferring data from one tag provider to another, but only functions for transferring website information to corresponding independent tags at runtime.

d) Actors involved

As a processor, etracker operates as a company bound by the instructions of the controller from a company headquarters and data center in Hamburg (EU). In particular, there are no relationships under company law with companies outside the EU or in insecure third countries, which would make it more difficult to protect the rights of data subjects, nor does etracker itself or in combination with third parties provide products or carry out data processing that would entail the further use of data processed by means of the Tag Manager for other (profiling) purposes or would only make sense for etracker. Furthermore, etracker does not use the information processed by means of the Tech Manager for other purposes of its own or of third parties, in particular the further development or optimization of its own services2.

e) Duration of the observation

The duration of monitoring using etracker’s own identifiers is limited to a maximum of one day, as all visit identifiers are automatically linked to the respective date, thus preventing visitors from being recognized in standard mode on subsequent days.

f) Group of affected persons (e.g. particularly vulnerable persons)

Even when used on websites that are aimed at particularly vulnerable persons such as children or that provide content on sensitive topics, this does not result in the interests, fundamental rights and freedoms of the data subjects being given greater weight. There is no profiling or risk of exploitation of particular vulnerabilities through web analysis and tag management itself.

g) Data categories

The interference with the rights of the data subjects is proportionately limited in terms of object and severity for the data subjects. Unlike would be the case, for example, with a credit assessment by a bank, the use in question here is solely concerned with the analysis of pseudonymous, if not anonymous, data, usually in aggregated form, for an improved website.

h) Scope of data processing

It can be stated that there is no processing of particularly extensive data records or even sensitive data. The depth of intervention is therefore low.

In cookie-less mode, all interactions on the website can be recorded in the same way as with the cookie-based method. However, no user profiles are created by the Tag Manager even when cookies are used and visitors are not “recognized” over time (identification or re-identification is avoided in both methods as intended, since the IP address is shortened by default at the earliest possible point in time and thus anonymized).

In cookie-less standard mode, the following data is collected and made available for analysis:

  • Information on the end device, operating system and browser used;
  • Geo-information up to city level;
  • the URL called up with the corresponding page title and optional information on the page content;
  • the website from which the accessed individual page was accessed (referrer site including assignment to search engines and social media sites and reading of campaign parameters);
  • the subsequent pages that were accessed from the accessed website within a single website in the session;
  • the time spent on the website;
  • other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos viewed, registrations, inquiries, items ordered, etc.

It is not possible to identify unique visitor values, the frequency distribution of sessions per visitor in the time period or the linking of visits to customer journeys or conversion paths that result from several visits over longer periods than 24 hours or across several end devices.

Conclusion

According to our assessment, the use of the etracker tag manager is safe if it is configured correctly and as intended by the person responsible.

  • not acc. ยง 25 TDDDG subject to consent
  • to safeguard the legitimate interests of the operator of the website, in the form of secure, legally compliant, high-performance tag management within the meaning of the legal basis of Art. 6 para. 1 lit. f GDPR is required,
  • whereby no legitimate interests of the data subjects in not processing the data outweigh the legitimate interests of the controller, in particular no unauthorized profiling or misappropriation of the processed personal data.

Against this background, we consider it justifiable that the data processing described in the standard mode is based on Art. 6 para. 1 lit. f GDPR or with the use of cookies on the basis of Art. 6 para. 1 lit. a GDPR, provided that visitors are informed about the use of this technology by etracker in their data protection declarations and are given the option to opt out of data processing. The conclusion of an order processing contract is mandatory. etracker offers this at https://server/av-vertrag/. The contract can be concluded electronically upon commissioning or registration.


Legal notice: The above balancing of interests is carried out by etracker to the best of its knowledge and belief and has been checked and confirmed in its evaluations by the data protection officer of the processor. It does not claim to be valid in every individual case, generally correct in judicial and official proceedings and does not replace legal advice.

1 EuG, Urt. V. 26.04.2023, REF. NO. T-557/20, PARA. 104
2 Cf. DSK, OH Telemedia providers as at December 2022, TZ 108/108