The Data Protection Conference (DSK) guidance on digital services (version 1.2, November 2024) provides a comprehensive overview of the legal requirements for providers of these services, in particular with regard to the provisions of the Telecommunications Digital Services Data Protection Act (TDDDG) and the General Data Protection Regulation (GDPR). We provide an overview of the main points of the guidance.
Scope of application of the TDDDG and demarcation from the GDPR
The TDDDG regulates the protection of privacy when using terminal equipment and contains special provisions on technical and organizational measures as well as information obligations. In contrast, the GDPR addresses the processing of personal data. The guidance clarifies the different protection objectives of both sets of regulations and describes how they interlock.
A central point of the guidance is the provision of Section 25 TDDDG, which regulates the storage and access to information in terminal equipment - regardless of whether there is a personal reference. This provision goes beyond the GDPR by focusing on the protection of the integrity of terminal equipment.
Need for consent and exceptions pursuant to Section 25 TDDDG
The principle of the need for consent is at the heart of Section 25 TDDDG. According to this, information may only be stored or accessed on terminal equipment with the express consent of the end user. This consent must meet the strict requirements of the GDPR: it must be voluntary, informed, unambiguous and revocable.
However, there are exceptions when access to information is absolutely necessary in order to:
- to carry out the transmission of a message (Section 25 (2) No. 1 TDDDG),
- to provide an expressly requested digital service (Section 25 (2) No. 2 TDDDG).
The guidance emphasizes that these exceptions are to be interpreted narrowly and gives specific examples, e.g. for security cookies or shopping cart functions.
Requirements for consent banners
Consent banners are a key instrument for implementing the legal requirements. The guidance calls for a transparent design that offers users a real choice. In particular, the following is pointed out:
- Transparency: All purposes of data processing must be presented clearly and comprehensibly.
- Voluntariness: The option not to give consent must be presented in the same way.
- User-friendliness: Withdrawal must be as easy as consent.
Designs that use "dark patterns" to force users to give their consent are not permitted. Data controllers must ensure that their banners meet the requirements of the GDPR and the TDDDG.
Reading tip: Unauthorized use of Google Analytics - website operators must rectify after inspection
Lawfulness of the processing of personal data
Lawfulness of the processing of personal data
The processing of personal data in connection with digital services must be based on one of the legal bases of Art. 6 para. 1 GDPR, e.g. on:
- Consent (lit. a),
- fulfillment of the contract (lit. b) or
- legitimate interests (lit. f).
However, the guidance shows that Art. 6 para. 1 lit. f) GDPR is often not sufficient in practice, especially when using third-party providers who pursue their own purposes. Providers must ensure that there is an effective legal basis for any data processing.
Recommendations for companies
The DSK's guidance offers providers of digital services a clear guideline for the legally compliant operation of their services. It emphasizes the importance of a high level of data protection and urges caution when integrating third-party providers and designing consent processes. Companies should therefore take the following recommendations to heart:
- Analysis and review: Companies should carry out a comprehensive analysis of their digital services and check whether they meet the requirements of the TDDDG and the GDPR.
- Consent management: A user-friendly, transparent and legally compliant design of the consent banners is essential.
- Training and sensitization: Employees, especially in IT and marketing, should be trained on the new requirements.
- Involve the data protection officer: The company data protection officer should be involved in all processes to ensure compliance.
- Regular audits: Data protection measures should be regularly reviewed and adapted to new legal and technological developments.
Implementing the requirements requires technical and organizational measures that go beyond mere compliance with minimum legal requirements. In view of the growing regulatory requirements in the digital space, continuous review and adaptation of data protection measures is essential.
Source: Guidance from the supervisory authorities for providers of digital services (OH Digital Services) Version 1.2 (November 2024)