Introduction
In Article 6 GDPR are the legal bases mentioned, according to which data processing is permitted. For websites, there are essentially only two reasons why data processing may be permitted.
The first reason is a voluntary consent by the website visitor, which is also referred to as Consent and can be withdrawn by the person granting it at any time.
The second reason is the legitimate interest of the operator of a website.
Because obtaining consent involves significant formal requirements and consent requests are often avoided, many try to cite legitimate interest as justification. This is also used as an excuse when nothing else comes to mind, for example, when responding to a data subject request or in a legal dispute.
What situations actually require consent?
Cookies
It is quite clear when cookies are used on a website that are not technically necessary. This includes all cookies that are not absolutely necessary. As really necessary, for example, cookies for session management or for billing with VG Wort can be considered to calculate a legally established author's fee.
Anything that serves to track users, such as counting users, must first be critically questioned and is, in my opinion, definitely not necessary if the cookie lifespan exceeds 24 hours.
The legal basis for obtaining consent when using cookies is regulated in Art. 5 Abs. 3 ePrivacy Directive or more recently in § 25 TTDSG. The TTDSG states, however, that cookies for tracking users are technically not necessary, because session cookies to count users are not necessary, "in order for the provider of a telemedia service to make available a telemedia service explicitly desired by the user." Similar is mentioned in the ePrivacy Directive, as the TTDSG is very closely aligned with the wording of the aforementioned directive.
Unnecessary data transfers
In Art. 5 Abs. 1 c GDPR is the obligation of data minimisation mentioned. Accordingly, a data processing must be appropriate to the purpose and restricted to what is necessary for the purposes of the processing. Also Art. 25 GDPR requires a data protection-friendly design.
An example for unnecessary data transfers are images embedded on a website that are loaded from a third-party server. Of course, an image can also be stored on one's own server. When accessing a server other than one's own, traffic data including the network address of the user is transmitted to a third party. Since the network address is considered personal data, such a data transfer is initially not permitted. It is therefore the opposite of what many people think: Data transfers to third parties are in themselves not permitted and only possibly permissible in the concrete individual case being considered.
Critical data transfers
I consider data transfers to insecure third countries to be critical. An insecure third country is any country for which the GDPR does not apply and for which no adequacy decision exists from the European Commission. In my view, this also applies to adequacy decisions that appear untenable. For example, no decision by the European Commission changes the fact that, from the perspective of the GDPR, the USA processes data of European citizens unlawfully.
With providers from insecure third countries, standard contract clauses (SCC) or binding corporate rules (CBR) can be concluded to solve the problem. This is only possible if national legislation respects such agreements. In the US, this is not the case. As long as there are Cloud Act, FISA and EO 12333, the answer to the question of whether data transfers to third parties in the US without consent are permitted remains: No.
Article 44 GDPR and subsequent articles specify the requirements. Consent for high-risk data transfers may only be based on consent exceptionally and not permanently, as Article 49 GDPR reveals. Almost every website that asks for consent for tools from American providers is in breach of this, such as the Facebook Pixel or Google Analytics. ([1]) ([2]) ([3])
A critical data transfer occurs, for example, when retrieving a file from a server of an American provider. Even here, it applies that the network address of the user is always transferred as personal data.
Excursion: Consent solutions
It appears that many do not want to be aware, or they are not aware of it. Both are equally bad: Consent Tools from OneTrust and UserCentrics potentially send data to the USA, and this happens when the scripts for building the consent query are loaded (see the linked practice tests that show in practice that OneTrust and UserCentrics are to be valued against the GDPR).
According to this, the consent requests from OneTrust and UserCentrics themselves require consent before this annoying and often strongly flawed so-called cookie popup is displayed.
Technically necessary services
A digital service is also referred to as Tool. Services in this sense are, for example, Matomo, Google Maps, OpenStreetMap or external fonts. The term service is meant here in the broadest sense and also includes external images. The term can be justified by the English word "to serve". A server is therefore a servant or attendant. Every access to an external server means, in this respect, the use of a service. Included herein is also the mere sending of data to a server, where no response from the server is expected (example: sending tracking data through Google Analytics to a Google server).
A digital service is any communication with a server.
Broad definition of the term "service" in the context of digital data protection
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
