Data privacy

  2. Home
  4. Docs
  6. Data privacy
  8. Balance of interests
  10. Tag Manager

Tag Manager

The balancing of interests (Art. 6 para. 1 lit. f GDPR) as the legal basis for using the “Tag Manager” module of etracker Analytics.

1. Functionality and purpose of the etracker Tag Manager

In order to use the etracker Tag Manager, the etracker tracking code must first be integrated into the HTML of the website, which is the basis for the use of etracker Analytics. There is no special code or separate integration for the etracker Tag Manager, as it is not an independent etracker product, but can only be used in combination with etracker Analytics.

The etracker Tag Manager offers the following two functions:

  1. Tracking of events, targets and segment dimensions in etracker Analytics without programming or adjustments in the HTML of the website.
  2. Integration of tags (third-party code) into a website without programming or adjustments to the HTML of the website and their display according to set conditions and with previously set variables.

The etracker Tag Manager can also be used here exclusively for the configuration of the data collected with etracker Analytics (point 1). This is therefore a convenience function that primarily serves the interests of the website operator in optimizing processes for installing and configuring website functions.

2. Legal conformity and consent requirement for third-party codes

When considering the legal basis for the use of the etracker Tag Manager, it is important to distinguish between the

  • the Tag Manager itself and
  • and third party codes that may be displayed via the etracker Tag Manager.

A separate check is required for the legal requirements relating to the third-party codes to be displayed via the Tag Manager, the result of which depends on the third-party code in question and how it functions. When selecting and configuring tags to be displayed, the etracker Tag Manager therefore offers the assignment of a suitable content category. This is automatically linked to the etracker Consent Manager, which is intended to ensure that tags requiring consent are only displayed with the user’s consent.

For the preconfigured third-party tags, the basis “Consent” is already preset under purpose “Marketing”. This default setting corresponds to our recommendation for the respective tag in its standard implementation and should be checked again by the customer. For individually integrated tags, the etracker customer is responsible for the correct categorization through their administrator. With regard to a possible consent requirement for third-party tags, the access to user end devices (in accordance with TTDSG) and the processing of personal data associated with the tag (in accordance with GDPR) must be considered in particular.

It is important to note in connection with the consent requirement of third-party tags that

according to TTDSG

  1. only technically absolutely necessary cookies are exempt from the consent requirement.
  2. when assessing the necessity of end device accesses, it is a matter of an objective technical consideration and not whether the accesses are desirable or necessary from the website operator’s point of view for business reasons.

according to DSGVO

  • obtaining consent is not to be considered more data-protection-friendly per se than legitimate interest.
  • the balancing of interests can only be considered as a legal basis if the processing does not violate reasonable expectations of users and no reasonable, equally effective mitigating means are available for the purposes.
  • even in the case of consent, there are additional requirements for data privacy compliance, namely compliance with principles such as “purpose limitation,” “data minimization,” “privacy by design,” and “privacy by default.”

3. Legal compliance and freedom from consent of the etracker Tag Manager itself

3.1 etracker Tag Manager and the TTDSG

The etracker Tag Manager as such – just like etracker Analytics in the corresponding configuration – does not use cookies or similar technologies by means of which information is stored in the end user’s terminal equipment or access to information that is already stored in the terminal equipment takes place. Thus, the etracker Tag Manager does not require consent in accordance with § 25 TTDSG.

3.2 etracker Tag Manager and the GDPR

The question also arises as to whether the cookie-less mode of etracker Analytics, which is provided as standard, can be legitimized by Art. 6 (1) lit. f GDPR even when the Tag Manager module is used, or whether consent is required due to the processing of personal data as such. According to Art. 6 (1) (f) GDPR, the processing of personal data is lawful “if the processing is carried out for the purposes of safeguarding the legitimate interests of the controller, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subjects.”

The starting point for the balancing of interests pursuant to Art. 6 (1) f GDPR is, on the one hand, the personal right of the data subject and the effects that processing the data in question would have on him, and on the other hand, the interests of the controller or third parties. As part of the balancing process, the circumstances that the data subject can reasonably assume when visiting a website must also be taken into account. This means that as long as the data processing carried out by etracker on behalf is within the scope of these expectations, it can be argued that the permissibility of the corresponding data processing can be based on Art. 6 (1) lit. f GDPR.

In the context of the balancing of interests, it must first be taken into account that the persons affected by the web analysis and associated tag management have a comprehensive right to object at any time (Article 21 (2) GDPR), to which they must be expressly informed in the website’s data protection notices (Article 21 (4) GDPR). According to Article 21 (3) GDPR, the objection has the consequence that personal data may no longer be processed, in particular used, for related purposes.

If the above considerations are applied to the facts to be assessed here, the following can be stated:

1. Existence of a legitimate interest of the responsible parties or a third party

The optimization of the processes for installing and configuring website functions can be considered a legitimate interest of the website operator. The functions indirectly supported by this, such as coverage measurement and statistical analyses, as well as the optimization of the respective web offer and personalization/individualization of the offer tailored to the respective users, are also explicitly cited as legitimate interests of website operators in accordance with the guidance of the supervisory authorities for telemedia providers. As an “enabling tool” for the implementation of these legitimate interests, the use of tag management is therefore also a legitimate interest.

2. Necessity of the data processing to safeguard the legitimate interests.

According to the above guidance, the processing must be suitable to achieve the interests of the controller, with no milder, equally effective means available. When using etracker Analytics, even with the Tag Manager module, data processing is limited to what is necessary. The collection of significantly less personal data is not technically possible, as a reduction to the technically necessary level is already achieved by the TCP/IP protocol. A transfer of personal data to third parties does not take place through etracker Analytics itself, but if necessary only through the third-party tags that are to be checked independently. In this context, it should be noted that etracker is not a “third party in the sense of Art. 4 No. 10 GDPR, but acts as an order processor exclusively according to the instructions of the website operator and does not pursue its own processing purposes. With regard to the purpose pursued, equally effective and milder means of processing in terms of their impact on the data subject are therefore not discernible.

3. Balancing with the interests, fundamental rights and freedoms of the data subject in the specific individual case

a) Reasonable expectation of the data subjects and foreseeability.

With etracker Analytics, user data is processed exclusively on behalf of the service provider (website operator) and not also for the processor’s (etracker) own purposes with the aim of creating personal advertising, without linking it to personal data obtained from other contexts and without passing it on to third parties. Also, no granular session recordings are made and made replayable (so-called session recordings). This applies analogously to the etracker Tag Manager module, with which only the tags configured by the client are played according to the set conditions and with the set variables. The fact that website operators use convenience functions to optimize processes for installing and configuring website functions should be within the bounds of reasonable user expectations. 

If implemented correctly, further processing of personal data will only take place after transparently obtained, voluntary and informed consent of the data subject. The Tag Manager therefore initiates further processing only to the extent that it is implemented lawfully.

b) Possibilities for data subjects to intervene (transparency & right to object).

The statutory standardized right of objection of Art. 21 (2) GDPR is effectively guaranteed. It is possible at any time for a visitor to a website on which etracker’s technology is used to object to the processing of his or her data. The associated transparency obligations can be complied with in every respect in accordance with the requirements of Art. 13 and 14 GDPR. For this purpose, etracker provides sample texts.

c) Linking of data

Data processing for statistical purposes at etracker is carried out exclusively and quite deliberately on a pseudonymized basis (even anonymized[1], depending on the legal perspective). Pseudonymization is an effective means of reducing the encroachment on the rights of the data subject. The shortening of the IP address is automated at the earliest possible point in the processing and does not require any adjustment of the settings or the tracking code. This fulfills the requirements of Art. 5 GDPR and its technical-organizational implementation according to Art. 25 GDPR, in particular Art. 25 (2) GDPR (privacy by default). “Information with which the personal data can be assigned to a specific data subject” (Art. 4 No. 5 GDPR) is not stored by default in the web analytics system. Nor are identifiers provided that would allow conclusions to be drawn about the person of the visitor.

By default, there is no linking and enrichment of data records. The transfer of cross-device identifiers is optional and requires a separate risk check. The etracker Tag Manager module does not contain any functions for transferring data from one tag provider to another, but only functions for transferring website information to corresponding independent tags at runtime.

d) Actors involved

As a processor, etracker operates as a company bound by the instructions of the data controller from a company headquarters and data center in Hamburg (EU). In particular, etracker does not have any legal relationships with companies outside the EU or in unsafe third countries, which would make it more difficult to protect the rights of data subjects, nor does etracker itself or in combination with third parties provide products or carry out data processing that would entail the further use of data processed by means of the Tag Manager for other (profiling) purposes or would even make sense for etracker alone. Furthermore, etracker does not use the information processed by means of the Tech Manager for other own or third-party purposes, in particular for the further development or optimization of its own services2.

e) Duration of observation

The duration of observation by means of etracker’s own identifiers is limited to a maximum of one day, as all visit identifiers are automatically linked to the respective date, thus making it impossible to recognize visitors in standard mode on subsequent days.

f) Group of data subjects (e.g. particularly vulnerable persons)

Even when used on websites that are aimed at particularly vulnerable persons such as children or provide content on sensitive topics, this does not result in the interests, fundamental rights and freedoms of the data subjects being given a higher weighting. Neither profiling nor the risk of exploitation of particular vulnerabilities is carried out by the web analytics and tag management itself.

g) Categories of data

The encroachment on the rights of the data subjects is relatively limited in terms of subject matter and severity for the data subjects. Unlike, for example, a credit rating by a bank, the use at issue here is solely concerned with the analyses of pseudonymous, if not anonymous, data, usually in aggregated form, for an improved web presence.

h) Scope of data processing

It can be stated that there is no processing of particularly extensive data sets or even sensitive data. The depth of intervention is therefore low.

In cookie-less mode, all interactions on the website can be recorded in the same form as with the cookie-based method. However, even when cookies are used, no user profiles are created by the Tag Manager and visitors are not “recognized” over time (identification or re-identification is avoided in both methods as intended, since the IP address is shortened by default at the earliest possible time and thus anonymized).

In cookie-less standard mode, the following data is collected and made available for analysis:

  • Information on the end device used, operating system and browser;
  • Geo-information up to a maximum of city level;
  • the URL called up with the associated page title and optional information on the page content;
  • the website from which the accessed individual page was reached (referrer site including assignment to search engines and social media sites as well as readout of campaign parameters);
  • the subsequent pages that were called up from the called-up website within a single website in the session;
  • the length of time spent on the website;
  • other interactions (clicks) on the website such as search terms entered, files downloaded, external link views, videos watched, registrations, inquiries, items ordered, etc.

It is not possible to show unique visitor values, the frequency distribution of sessions per visitor during the period, or the chaining of visits into customer journeys or conversion paths that occur over multiple visits over periods longer than 24 hours or across multiple devices.

Conclusion

According to this assessment, the use of the etracker Tag Manager provided that it is configured correctly and in accordance with its intended use by the person responsible

  • does not require consent according to § 25 TTDSG,
  • necessary to protect the legitimate interests of the website operator, in the form of secure, legally compliant, high-performance tag management within the meaning of the legal basis of Art. 6 (1) lit. f GDPR,
  • where no legitimate interests of the data subjects in not processing outweigh the legitimate interests of the controller, in particular no unauthorized profiling, or misappropriation of the processed personal data to be feared.

Against this background, we consider it justifiable that the data processing presented in standard mode can be justified on the basis of Art. 6 (1) lit. f GDPR or with the use of cookies on the basis of Art. 6 (1) lit. a GDPR, provided that visitors are made aware of the use of this technology by etracker as part of their privacy statements and are given the option to opt out of data processing. It is mandatory to conclude an order processing contract. This is offered by etracker at https://www.etracker.com/en/dpa/. The contract can be concluded electronically upon commissioning or registration.

Legal notice: The above assessment of interests is made by etracker to the best of its knowledge and belief and has been reviewed and confirmed by the data protection officer of the processor. It does not claim to be valid in every individual case, generally correct in legal and official proceedings and does not replace legal advice.

1 EuG, Urt. V. 26.04.2023, AZ T‑557/20, TZ 104

2See DSK, OH Anbieter von Telemedien Stand Dezember 2022, TZ 108/108