- More on Google Analytics and GDPR in Europe
- Checklist for data processing agreements from German supervisory authorities
- CJEU: Scope of special category personal data
- Frankfurt Court of Appeals: The receipt of free e-books may trigger an obligation for influencers to label their posts as advertising
- Kassel Local Court: Confirmation email in double opt-in process not spam
- Advocate General/CJEU: Scope of the right to access under the GDPR
- Düsseldorf Administrative Court on the right to access under article 15 of the GDPR
- Recommended reading in the areas of EU and German IT and data protection law
1. More on Google Analytics and GDPR in Europe
by Dr Andreas Splittgerber
After several decisions by EU data protection authorities regarding the ‘old’ set-up of Google Analytics (situations prior to the new Standard Contractual Clauses (SCCs) and certain changes by Google; see also our previous posts and podcast), EU data protection authorities are now firm in their position that the use of Google Analytics and similar tools in such situations is not compliant with GDPR or, at the very least, are quite problematic. There are not yet any published decisions on Google Analytics under new SCCs. The Commission Nationale de l'Informatique et des Libertés (National Commission for Computing and Liberties) (CNIL) has now published guidance on the data protection-friendly use of Google Analytics (reach measurement) via a proxy solution.
Conclusion: EU data protection authorities have taken a close look at the use of website trackers. The main issues are the data transfers to the United States that cannot be justified with user consent. The CNIL solution is a first “help” by a data protection authority on how to use Google Analytics (and similar tools), however, organizations will then only be able to use a portion of the tool’s functionalities.
2. Checklist for data processing agreements from German supervisory authorities
by Friederike Wilde-Detmering, M.A.
In coordination with various other German data protection authorities, the Berlin Commissioner for Data Protection and Freedom of Information published a checklist for reviewing data processing agreements (DPAs) on 19 July 2022. The checklist was created for the review of DPAs with web hosts, but it is also helpful and relevant beyond this purpose. Complete instructions have been published together with the checklist.
Conclusion: The checklist deals with topics that are often disputed in practice (for example, identification of specific safety measures and costs for audits) and therefore generally offers beneficial guidance for drafting and negotiating DPAs.