Germany Update: A regular look at your own website is worthwhile!

The wave of warnings is still rolling through Germany because of the use of Google fonts. This has prompted quite a few website operators to take a look at their own website. If you’ve done the same, hopefully, you’ve not only looked at Google fonts, but looked at your website as a whole. In particular, you should have checked whether cookies are used there and, if so, which ones. In this article, we give practical advice on what to look out for.

What is the legal basis?

The Telecommunications-Telemedia-Datenschutz-Gesetz (TTDSG) regulates whether and how information may be stored on end devices or read from them. It therefore protects end devices from unauthorized access, is, as it were, the front door of the end device. It is irrelevant whether the information concerned is personal data or not.

According to § 25 TTDSG, the storage of information in the terminal device or access to information available there is only permitted if the user has given his prior consent. This is only dispensable if the storage of information in the terminal or access to information already stored in the terminal is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user. With regard to websites, this means that cookies may only be used if they are either absolutely necessary for the provision of the website or if the visitor to the website has given his express consent beforehand.

The General Data Protection Regulation (GDPR) regulates the subsequent processing of personal data. For this, a legal basis according to GDPR is required. When visiting a website, Art. 6 para. 1 lit. f) GDPR (overriding legitimate interest of the website provider) or consent pursuant to Art. 6 para. 1 lit. a) GDPR are usually considered.

What to look out for?

Does the website use cookies?

No: no consent according to TTDSG or DSGVO required. No entry in the privacy policy necessary. No cookie banner needed.

Yes, only necessary cookies: no consent according to TTDSG and DSGVO required. Reference to cookies in the data protection declaration, stating the legal basis Art. 6 (1) lit. f) GDPR (legitimate interest in the retrievability and correct presentation of the website). Please do not use a cookie banner. This could give the impression that consent to the processing is voluntary and can be revoked by the user at any time with effect for the future, although this is not legally possible.

Yes, (also) non-essential cookies: consent according to TTDSG is required for the non-required cookies and in the case of processing personal data also in accordance with GDPR. A cookie banner is therefore necessary. When designing it, care must be taken to ensure that a rejection can be explained just as easily as the consent.  In addition, the following questions must be answered clearly: Which cookies are involved? Which (personal) data is affected? What happens to them? Who gets access to the data? What are the purposes of the processing? What is the legal basis of the processing?

In addition to the cookie banner, the corresponding information must be provided in the privacy policy.

You should make sure that the website is technically set up in such a way that cookies requiring consent are actually only used after consent has been given.

The privacy policy and the imprint must always be accessible, even before consent and while the cookie banner is displayed.

Can I rely on offered cookie banners?

No. As a website operator, you are also responsible for processes caused by the technical design of the website. Many cookie banners offered do not meet all the requirements of the TTDSG and the GDPR. Therefore, see for yourself whether the tool you have chosen is legally compliant, or seek advice accordingly.

Is a one-time check of the website sufficient?

No way! Even if a website is designed to be TTDSG and GDPR compliant when it is created, this can change. The installation of additional functionalities or updates to the website software or individual components thereof can, for example, suddenly lead to a cookie being set that was not previously used. You cannot assume that you, as the website operator, will be informed of such changes.

The Google fonts warning wave has shown that there is always the risk that data protection violations are searched for on websites – not only by the supervisory authorities. It is therefore highly recommended to take a look at your own website at regular intervals and run it through a cookie scanner. In many cases, the use of the “F12” key when visiting the website can give a first hint. (Tab: Web Storage, menu item: Cookies).

Our data protection team will be happy to assist you in complying with the requirements of the TTDSG and the GDPR on your website – not only with regard to the use of cookies.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.