etracker analytics is the tracking solution for public bodies

by Katrin Nebermann

Public bodies that use etracker justify its use on the basis of Art. 6 para. 1 sentence 1 lit. e GDPR for the performance of a public task or for the performance of a task carried out in the public interest, namely the operation of websites and the associated analysis and optimization. The criterion of necessity in the sense of data economy and data minimization is decisive for the question of consent. It must always be checked whether personal data must be processed at all and, if so, whether there is no milder, equally suitable means available to achieve the purpose.

When using etracker in the cookie-less standard, the mildest means available for the task is selected. This is because only pseudonymous visit identifiers are generated from the user agent, the pseudonymized (directly shortened) IP address and the date of the day, which per se rule out profiling and recognition on subsequent days. Thomas Brehm, an expert in data protection law, even argues that this does not constitute a personal reference. According to Brehm, the GDPR does not imply a personal reference for all online identifiers. Rather, it depends on the personal reference or the personal reference in the specific individual case (see also Hanloser: Geräte-Identifier im Spannungsfeld von DS-GVO, TMG und ePrivacy-VO Zeitschrift für Datenschutz (ZD) 2018, 213). Due to the small number of information elements and the explicit time limitation, it is impossible to link an individual person and thus identify or make them identifiable.

It is sometimes assumed that the supervisory authorities regard local implementations of analysis software such as Piwik/Matomo as the mildest means. However, this is not the case. Rather, the guidance issued by the supervisory authorities for telemedia providers only mentioned as an example of a milder means compared to services such as Google Analytics: “The goal – reach measurement – can also be achieved with milder, equally suitable means that collect significantly less personal data and do not transmit it to third parties (e.g. without involving third parties via a local implementation of analytics software).” In particular, the controller must ensure a suitable level of security against unauthorized access when using a local implementation, which SaaS providers such as etracker can guarantee with dedicated system administrators, independent penetration tests and the like. In this respect, the level of protection with a SaaS solution is generally higher than with a local implementation.

The consent required in accordance with the BGH ruling when storing data on or reading data from the user’s end device or as required by Section 15 para. 3 sentence 1 TMG when creating user profiles for the purpose of advertising or market research does not apply to etracker’s cookie-less session tracking. No user profiles are explicitly created, nor is data stored in the end device via cookies and similar technologies, nor is data read from the end device. Only technical data that the browser sends to the web server and which cannot be used to establish a personal reference is recorded. Even in combination, the data such as operating system, browser, device type and city are far too coarse to draw conclusions about a person or a computer.

Furthermore, the DSK paper from 2019 on tracking and the supervisory authorities’ press releases on the use of Google Analytics from November 2019 make it clear that no general consent requirement is assumed for tracking. The justification for the consent requirement for Google Analytics states: “If providers of third-party services integrated into websites also use the data collected there for their own purposes, the website operator must obtain the explicit consent of the users.” Conversely, this means that Tracking with pure order processing is possible without consent, provided that the basic principle of purposeful necessity is not violated, no user profiles are created and no cookies are used. This is because the supervisory authorities have not claimed that the use of Google Analytics requires consent in the same way as the use of other tracking solutions. Rather, the requirement for consent is based on the fact that Google also has a right to the data and links it to its own data or data from other websites. None of this is the case with etracker.

Following the recent ECJ ruling on the Privacy Shield, the requirements are supplemented by the fact that personal data should ideally only be processed within the EU in order to ensure GDPR-compliant processing and thus avoid having to fear high fines. The same applies to etracker: processing takes place exclusively in the EU, more precisely in Germany.

In an independent audit by ePrivacy GmbH, all etracker products were checked against the background of GDPR compliance and awarded the ePrivacy Seal excellent. The conclusion of the report states: “In cookie-less mode (standard mode), the use of etracker analytics is lawful without any requirement for consent.” This also fulfills the requirement of the Data Protection Conference: “Controllers must prove that the processing of personal data is lawful as part of their accountability under Art. 5 para. 2 GDPR.”

This means that etracker offers the perfect tracking solution for public bodies – GDPR-compliant, data storage exclusively in Germany and with the premises of data economy and customer data sovereignty.