Data protection 1×1 for marketers

by Katrin Nebermann

These four data protection terms repeatedly cause misunderstandings. . However, understanding the legal significance is essential in order to avoid data breaches in digital marketing:

1. Data processing
2. Personal data
3. Necessity
4. Overriding legitimate interest

The terms are defined in the GDPR. However, the definitions sound quite abstract. We therefore want to explain them simply using a practical example.

We found this wording in the privacy policy of one website:

“This website uses the […] Tag Manager. The […] Tag Manager is a solution that allows us to manage website tags via an interface. The tool implements tags, but is itself a cookie-free domain and does not collect any personal data. It merely triggers other tags, which in turn may collect data – but which the Tag Manager does not access. No personal data is collected or stored by this tool. The use of the […] Tag Manager is based on our legitimate interest (Art. 6 para. 1 sentence 1 lit. f) GDPR).”

With this in mind, let’s take a look at the four terms:

1. data processing

In the example above, it is claimed that the tag manager used does not collect any data, does not access any data and does not store any data. On the other hand, data processing is carried out on the basis of legitimate interest. So is data being processed, yes or no? Very important: Storage is only one possible type of processing. According to Art. 4 No. 2 GDPR, processing also includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Put simply, any handling of data is data processing!

Since it is well known that nothing works on the web without data, you can simply say that every active tool on a website always processes data.

If in doubt, open the Dev Tools in the browser with F12 and check the network activity.

2. personal data

The question of whether personal data is processed is just as easy to answer as the question of data processing. This is because the connection to the tool’s server always requires the transmission of the respective IP address. The IP address has been ruled by the highest court to be personal data. And processing does not require storage!

Therefore always applies to applications on the web: personal data is processed.

It does not matter whether the IP address is anonymized before further processing. First of all, it always arrives in full. And anonymization is also processing.

In the context of tracking tools, other personal data in addition to the IP address may be processed deliberately or “accidentally”. What does “accidentally” mean? Data from the website is transferred in a structured manner using various parameters that can be viewed in the Dev Tools:

Personal data can be transferred in the parameters specifically provided for this purpose, such as a user or cookie ID. However, they can also be part of the URL, for example, and thus be transferred “unintentionally”, so to speak. This is often the case on pages after a login. This may constitute a violation of Art. 5 GDPR, which requires data minimization as one of the principles of processing personal data: Personal data must therefore be “limited to what is necessary for the purposes of the processing”. Unintentional capture in particular has no “real” purpose and is therefore particularly critical.

However, not every user ID automatically has a personal reference. According to the judgment of the General Court of the European Union (EGC) of 26.4.2023 (Ref.: T-557/20), the following conditions must apply to a personal reference for IDs:

1. In contrast to anonymous data, the person behind the ID can be re-identified by using additional, separately stored information.
2. The data recipient(s) have this information for re-identification or have legal means to access such information.

When using tools or tags from Google, Meta & Co., website operators must also consider their options, as they are not only processors, but also data recipients.

So we can take it with us:

• With website tools and tags, personal data is always processed at least with the IP address.
• Personal data may only be processed in a form and for as long as necessary for a legitimate purpose (keyword “data minimization”) and must be protected in the best possible way. It is imperative to avoid “unintentional” recording in URLs and parameters. “Required” personal data should be anonymized where possible.

Important: The processing of personal data does not necessarily lead to the obligation to obtain prior consent from the user.

Consent is only mandatory if the processing is neither necessary nor outweighs your own interests.

3. necessity

According to the TTDSG, tracking tools may only access users’ device memory if this is absolutely necessary or if the user has given their prior consent. For the criterion of absolute necessity, the user’s perspective must be taken, i.e. whether the function primarily serves the interests of the users of the website. The German supervisory authorities’ guidance sets out further criteria for assessing necessity, such as the type of information and the duration of storage.

For the moebel.de website, website personalization, web analytics and tag management are also identified as technically necessary:

To put it mildly, this is adventurous in terms of data protection law. This is because the Tag Manager primarily serves the marketers and not the users. Website personalization, on the other hand, is unlikely to be considered a basic service and comprehensive web analysis is also excluded from necessity by the supervisory authorities:

“Even the simple measurement of visitor numbers is therefore not to be classified per se as part of the basic service, but depends on the specific purpose pursued in each case. The error-free delivery of the website may, for example, be covered by the user’s request, while the profitability of advertisements generally only serves the primary interests of the website operator.“
(Guidance of the German supervisory authorities, page 28f.)

The French supervisory authority has even declared the use of Google’s reCAPTCHA function to be subject to consent. This is because the use is not limited to what is necessary:

“However, the Google reCaptcha mechanism not only serves to secure the authentication mechanism for the benefit of users, but also enables analysis processes on the part of Google.”
(https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047346903, para. 86)

However, the following end device storage processes can be considered technically necessary for tracking:

• Setting and reading cookies to implement the objection function, i.e. the opt-out from data processing. This primarily serves the interests of the user (and usually against the interests of the website operator) to record the decision made and not have to repeat it with every website visit.
• Caching of analysis processes in local or session memory to ensure the best possible use of the website and its performance for the user. An example of this is the scroll depth measurement, so that not every scroll movement leads to a data transmission, but the scroll depth data is sent “bundled” every few seconds. Another prerequisite is that the associated data processing within the meaning of the GDPR does not require consent.

Access to end devices is therefore not deemed to be absolutely necessary and therefore not permitted without prior consent:

• Cookies from marketing platforms such as Google, Meta, LinkedIn and Tiktok.
• Other advertising and marketing cookies including affiliate marketing.
• Statistics cookies that store identifiers to recognize users over time, especially if this is done across devices, websites or days.
• Cookies for tag management and conversion optimization in the primary interest of marketers

4. overriding legitimate interest

The European Court of Justice (ECJ), i.e. the highest European court, ruled on July 4, 2023 in the case of Meta against the German Federal Cartel Office(case C-252/21) on the legitimate interest that

• the data must be limited to what is necessary for the purposes of processing (data minimization) and may not be further processed in a manner incompatible with these purposes (necessity),
• a balancing of the opposing interests must take into account the reasonable expectations of the data subjects and the scope of the processing in question, and
• the responsible party (website operator) must be able to prove compliance through its own review of the provider or through an independent certificate (accountability).

The ECJ interprets the principle of necessity very narrowly and requires that there must be no reasonable and equally effective milder means for the purposes. If the solution used is significantly less data protection-friendly or if the provider is also pursuing its own purposes, the solution fails the legitimate interest test.

The ECJ also applies a tough standard when it comes to reasonable expectations and contradicts the view that users of free services should expect their data or personalized advertising to be passed on:

“In this respect, it should be noted that, even if the services of an online social network such as Facebook are free of charge, the user of this network cannot reasonably expect that the operator of this social network will process his personal data without his consent for the purpose of personalizing advertising.”

With regard to the scope of data processing by the large marketing platforms, the ECJ states:

“Moreover, the processing at issue in the main proceedings is particularly extensive, since it concerns potentially unlimited data and has a significant impact on the user, whose online activities are largely, if not almost entirely, recorded by Meta Platforms Ireland, which may give him the feeling that his private life is being continuously monitored.”

Tags or tools of the major marketing platforms may therefore not be used under the legitimate interest.

Conclusion on data protection 1×1 for marketers

Regardless of which analysis and marketing tools are used, personal data is always processed within the meaning of the GDPR. However, this does not necessarily mean that consent is required. Cookies with session or user IDs (regardless of whether they can be used to identify users) are almost always subject to consent. Only maximum data protection-friendly solutions can be used under the legitimate interest. The main requirements are

• Can only be used with the conclusion of an AV contract
• Automatic shortening of the IP address before persisting
• Anonymized user IDs must be limited to 24 hours
• Reporting with anonymized data without the possibility of re-identifying the user
• No use for own purposes, linking with data of other customers or forwarding to third parties
• No session recording or mouse movement recording
• Direct objection function in the privacy policy
• Connection to marketing platforms for uploading conversion data only without user IDs
• Further processing only of anonymized data in reporting solutions such as Google Looker Studio or Microsoft Power BI
• Fulfillment of the required accountability through an independent audit

---

The contents have been researched with the utmost care. Nevertheless, the provider cannot accept any liability for the accuracy, completeness and up-to-dateness of the information provided. In particular, the information is of a general nature and does not constitute legal advice in individual cases.