Online data protection under German law

The Telemedia Act: Information obligations for Website operators

The Telemedia Act (TMG) (link) presents a number of fundamental parameters, which are relevant on the Internet. The term tele-media does not only include all Websites (WWW addresses), but also

  • E-Mails (newsletter & advertising)
  • Online retrievable services (order platforms for goods or services, Chat platforms, Video platforms, Online-Gaming platforms etc.)
  • News Feeds (RRS Newsfeeds, electronic press)
  • Search engines (Google, Yahoo etc.)
  • Individual communication (person-specific, e.g. Online-Banking)

5 TMG standardizes Information obligations. Here is a list of minimum mandatory information, which must be provided by each company involved in business on the Internet (labelling or masthead obligation).

The details in the imprint obligation must be easily recognizable, immediately accessible (by a rule of thumb: maximum two clicks) and always available. The one-time link of the imprint in a sub-category of the Website or in the newsletter e-mail itself is permissible (not so the multiple linking). For continuous availability, the link must be continuously functional; however, it should not provide a version printable at any time.

The minimum details for the imprint (§ 5 (1) TMG) include:

  • First and family names or authorized representatives of the juridical person
  • Address of the branch
  • Contact data for direct, electronic contact, especially by electronic post (email address)
  • Type of entry-register as well as the register number
  • Specific professional details (for regulated professions, like free professions with statutorily regulated access or professions, whose title management is linked to preconditions.
  • Sales tax identification number
  • Details on Liquidation or Processing for AG, KG, GmbH

With the link below, an imprint can be generated quickly, easily and free of charge: https://www.activemind.de/datenschutz/impressums-generator/

Web-Tracking

Tracking is legally determined by sector specific regulation, namely the TMG. The TMG Act distinguishes in § 14 and § 15 Inventory and Use data, which can be subject to individual-related information and thus underlie special regulations depending upon the situation. Especially for use data, the TMG provides exceptions for Tracking with the purpose of advertising and market research.

Risks for the right of informational self-determination of the data subject especially arise through creating profiles by the use of various data sources. The linking of analysis data with other use data is determinative and fraught with risk. If a person can be identified in that manner, processing or use of personal data must be conjectured. For this, restrictive regulations then apply.

Special preconditions apply for tracking use data or personal data (§ 12 (3) TMG). The TMG does not deviate from the principles of the BDSG: there must either be a consent or a statutory authorization. The preconditions for consent are set down in § 13 (2) TMG:

  • Granting of consent must be deliberate & unambiguous
  • The consent must be on record
  • The contents of the consent must be retrievable at any time for the user
  • The consent must be revocable at any time with effect for the future

A statutory authorization is solely present in § 15 (3). Especially, the need to use a pseudonym (also see “Definitions”) does not enable companies to add user data to the results of the Web analysis.
User data as per § 15 (1) TMG is:

  • Features for identification of the user
  • Details for the start, the end or the scope of use
  • Details of the tele-media used by the user

On this basis itself, Web tracking is still unlawful if the user is not expressly instructed in the Data protection declaration about the analytical tool (§ 13 (1) TMG) and about his right to revoke at any time (§ 15 (3) TMG) (the latter is often absent in App applications).

Checklist for lawful data processing:

  • Use of Pseudonyms for user profiles (e.g. a shortened IP address)
  • Separate processing/use of Tracking data and User data from user profiles
  • Note on Tracking in the general Data protection declaration
  • Note & technical implementation of the option of revocation at any time
    not sufficient for cookies: Requirement of setting up a general Cookie-block for the entire Web browser
  • Obtaining a Consent for the creation of personal user profiles (e.g. by merging Tracking and inventory or user data)
    This especially includes the complete recording of the IP address including determination of location!