Google Analytics vs. GDPR – is that even possible?

We are currently receiving many inquiries from uncertain clients regarding the new General Data Protection Regulation (GDPR). During an initial analysis of the homepage, it immediately becomes apparent that most clients use an analysis tool – mostly Google Analytics or Matomo (formerly Piwik). Such tools are useful and indispensable for good online marketing.

But now the question arises: to what extent can these tools still be used to be compliant with the GDPR?

Admittedly, we believe that the GDPR and in particular the German implementation of this has gone far beyond the target. This creates enormous uncertainty in most companies and regular business operations are hardly possible without fear of violating any GDPR standard. But back to the actual topic: Is the tracking of user data of a website still permissible from the point of view of the basic data protection regulation?

Basically no! At least not without a few special adjustments. This is also confirmed by the position of the Conference of Independent Data Protection Authorities of the Federal Government. The statement of the German authorities can be found here:

https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf

But now to the real thing: How did I implement Google Analytics in compliance with the law? This requires a look at the provisions in accordance with Art. 6 para. 1 lit. f GDPR. You should therefore follow these steps:

  1. sign a Data Processing Agreement (DPA) with Google. You can find this contract here: 

     http://static.googleusercontent.com/media/www.google.de/de/de/analytics/terms/de.pdf

  2. accept the addendum for data processing with Google. You may have wondered what the “Data Processing Supplement” option in your Google Analytics account settings is for. This is appropriate here for GDPR. Once you enable this feature, your site visitors’ interests will be protected. It is also important that you enter the following information manually:
    1. The person responsible (i.e. the legal person responsible for data processing),
    2. A contact (i.e. a person/contact to whom the communications relating to the data processing conditions can be sent,
    3. a data protection officer (if to be appointed),
    4. an EEA Representative (but this is only important for companies that are not in the European Union).

3.  install an easy way for your website users to opt-out.

You can use the following two Java scripts:

first, implement the JavaScript alert:

<a onclick=”alert(‘Google Analytics has been disabled);” href=”javascript:gaOptout()”>deactivate Google Analytics</a>

For the upper code to work, the following code must be installed globally on the website:

<img src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBR AA7″ data-wp- preserve=”%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%20Set%20to%20th e%20same%20value%20as%20the%20web%20property%20used%20on%20the%20site%0Avar%2 0gaProperty%20%3D%20’UA-XXXX- Y’%3B%0A%0A%2F%2F%20Disable%20tracking%20if%20the%20opt- out%20cookie%20exists.%0Avar%20disableStr%20%3D%20’ga-disable- ‘%20%2B%20gaProperty%3B%0Aif%20(document.cookie.indexOf(disableStr%20%2B%20’%3Dtrue ‘)%20%3E%20- 1)%20%7B%0A%20%20window%5BdisableStr%5D%20%3D%20true%3B%0A%7D%0A%0A%2F%2F %20Opt- out%20function%0Afunction%20gaOptout()%20%7B%0A%20%20document.cookie%20%3D%20di sableStr%20%2B%20’%3Dtrue%3B%20expires%3DThu%2C%2031%20Dec%202099%2023%3A59% 3A59%20UTC%3B%20path%3D%2F’%3B%0A%20%20window%5BdisableStr%5D%20%3D%20true %3B%0A%7D%0A%3C%2Fscript%3E” data-mce-resize=”false” data-mce-placeholder=”1″ class=”mce-object” width=”20″ height=”20″ alt=”&lt;script&gt;” title=”&lt;script&gt;” />

  1. implement IP anonymization – this will nullify the last two blocks of the IP (e.g. 108.138.0.0) so that it is no longer possible to identify the respective website visitor;
  2. integrate a data protection declaration in accordance with the law within the meaning of Art. 12, 13 GDPR;
  3. don’t activate the user ID.

We hope that with this short explanation we could take away the horror of the GDPR in relation to Google Analytics (as well as further analysis tools).

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts:

Data Protection and German Businesses: New GDPR 2018 will cause a Flood of Lawsuits

Company Managers and British Parent Companies of German Subsidiaries better take this issue very seriously, because the German version of the GDPR is much stricter than the GDPR rules as applied in the UK.

So if you are running a business in Germany, you should ensure that your German company is in full compliance. For instance in accounting and human resources. Because the German business mentality is to torture competitors with costly cease and desist letters (more here).

Germans are Data Protection Extremists

When it comes to data protection in a company, it is often overlooked that sensitive personal data is also processed in areas that do not immediately spring to mind, like accounting for instance. While other legal regulations in accounting prescribe processing or long-term storage, this is usually not the case in controlling.

With regard to the requirements of the EU Data Protection Regulation (GDPR), in particular with regard to all data processing in accounting and controlling should be checked and, if necessary, adjusted. An adaptation could be achieved, for example, by pseudonymization (removal of all directly identifiable features) or anonymization (removal of all personal data).

These are presented as examples in this article:

(1) Data protection for personal data

The data protection regulations apply when personal data is processed. This means (according to Art. 4 para. 1 GDPR) all information relating to an identified or identifiable natural person (…). In accounting, such data is regularly found in Accounts Payable and Accounts Receivable. If the accounting department also takes over the data management of the employees and carries out payroll accounting, “special categories of personal data” are even processed.

(2) Sensitive data due to processing or quantity

However, even if no data of employees is processed in accounting or controlling, personal data may still be available there, which can have an impact on those affected if they are viewed by unauthorized persons. This is obvious, for example, for notes on (negative) payment behavior (creditworthiness index).

Sometimes the context (the accompanying circumstances) of the processing is also sufficient, even if no financial or health data is stored for it. As very descriptive examples these would be e.g. the debtor evaluation of a specialist with the special field for cosmetic operations or in addition, the customer file of an erotic dispatch.

(3) Risks in practice

In accounting it is often the case that personal data is exported, e.g. for various evaluations from the hopefully well secured accounting programs. Often these “Excel files” are then sent by e-mail without further protection. Even if this alone often violates data protection regulations, it also increases the risk that third parties can view the data. In the case of e-mails, for example, an inadvertently wrong recipient is sufficient.

(4) Pseudonymization: identification via detours possible

Apart from a secure form of transmission, pseudonymisation offers a further advantage.

possibility of reducing the risk of data misuse for those affected. For this purpose, all personal data are essentially removed – with the exception of one value – that enable a person to be clearly identified. The remaining data may not directly identify the person concerned. Only by consulting another file or another document may the person be identifiable.

(5) Conclusion

Pseudonymisation and anonymisation offer two suitable ways of reducing data protection risks. Particularly with regard to evaluations, it is worth checking to pseudonymize short-term evaluations, for which detailed checks may still be necessary, and then to summarize and further process this data anonymously after a specified time interval.

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts: